Perl 6 - the future is here, just unevenly distributed

IRC log for #metacpan, 2014-01-07

| Channels | #metacpan index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:32 omega https://metacpan.org/changes/release/RJBS/perl-5.18.2 has a broken link to https://metacpan.org/pod/perlrepository
02:32 dipsy [ perldelta - what is new for perl v5.18.2 - metacpan.org - Perl programming language ]
02:57 klapperl joined #metacpan
02:59 rwstauner i wonder if that's one of the ones that are built
03:00 rwstauner i guess that's a bit of a problem, b/c those links come from the pod::parser, we don't have the opportunity to check if that link is indexed or not
03:05 rwstauner i made an issue: #1032
03:23 omega https://metacpan.org/pod/release/RJBS/perl-5.18.2/pod/perlrepository.pod
03:23 dipsy [ perlrepository - Links to current information on the Perl source repository - metacpan.org - Perl programming language ]
03:23 omega is is there at least
03:24 omega ahh, perl-5.18.1 is still "latest"
03:24 omega ?
03:24 omega maybe just not indexed yet
04:36 preflex_ joined #metacpan
05:00 oalders just indexed latest perl
05:03 omega oalders++
05:03 oalders :)
06:09 thaljef joined #metacpan
06:39 bowtie_ joined #metacpan
06:53 thaljef Hey, do you have any statistics on search keywords used on metacpan.org?  I'm looking for the top 10 or so most frequently used.
08:13 dpetrov_ joined #metacpan
09:05 testsadasd joined #metacpan
09:10 pokki joined #metacpan
09:11 pokki I assume you guys already know, but metacpan.org's certificate seems to have expired five minutes ago
09:15 ranguard oalders: ?? ^^ ??
09:15 ranguard pokki: that was mean't to have been renewed :(
09:18 pokki metacpan.org uses an invalid security certificate. The certificate expired on 01/07/2014 10:05 AM. The current time is 01/07/2014 10:17 AM.
09:18 pokki quoth Firefox
09:20 ranguard ummmmm, ummmm
09:20 tokuhirom joined #metacpan
09:23 omega who can renew it?
09:26 * ranguard is trying to look - problem I think the account was with Clinton and it hasn't got transfered
09:28 ranguard yea, need a new one - anyone recommend a quick SSL provider?
09:32 omega we apparently use Comodo at work, but don't know if they are fast or not
09:35 ranguard wow, so many of these SSL companies seem to fail with instructions!
09:39 thaljef I've used Comodo too.  Usually able to get a cert within 15 minutes or so.
09:41 * ranguard is trying them
10:01 ranguard arrg, not getting anywhere fast
10:02 ranguard oh, maybe got something
10:13 BinGOs oh you already know about the certificate
10:20 * ranguard is trying something now, but I've not done this in years
10:21 ranguard feck - wrong domian name, should have stopped to think!
10:28 sivoais_ joined #metacpan
10:28 * BinGOs revokes ranguard
10:30 priodev joined #metacpan
10:39 ranguard bugger, now I can't use the free 90 day trial
10:46 omega I can pay if needed, within reasonable amounts at least :)
10:53 ranguard sent email to their support after a chat with them
10:54 klapperl_ joined #metacpan
11:02 omega ok, lets hope they can fix it
11:02 omega but if you need someone to pay after those 90 days, let me know :)
11:05 ranguard yea, if not sorted in the next hour I'll pay
11:26 Khisanth joined #metacpan
11:45 * ranguard tries again
11:46 ranguard please test!
11:48 pokki metacpan.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided.
11:48 BinGOs yeah, you not fucked it up this time.
11:48 BinGOs worked for me.
11:48 ranguard pokki: please try refresh
11:49 pokki still
11:49 ranguard anyone else?
11:49 pokki it's a different error message than this morning, though.
11:49 dipsy anyone else is welcome to pay attention, but they don't seem to be
11:49 BinGOs I'll have a look in openssl s_client
11:51 BinGOs http://paste.scsys.co.uk/289949
11:51 dipsy [ magnet_web paste from "BinGOs" at 217.168.150.38... ]
11:52 BinGOs it looks like it is not giving the full chain.
11:52 mo_ ranguard: was there an intermediate certificate that we need to include?
11:52 mo_ no warning for me either though
11:53 ranguard ahh, might have been - I forgot about that.. hold on
11:53 BinGOs as a Comodo certificate customer I already have all the Comodo certificate chains installed.
11:54 ranguard so, should I put all their .crt files in the .pem ?
11:54 BinGOs I would go for 'yes', though my experience with ssl certs is mainly in Windows environments.
11:55 mo_ just try the essentialsSSLCA first
11:55 mo_ order matters too iirc
11:56 BinGOs yarp.
11:56 mo_ ours comes first, iirc
11:57 BinGOs I've just checked a certificate I did for one of our Apache servers on FreeBSD, using a cert signed by our enterprise CA and I put the full cert chain in the pem file.
11:58 BinGOs do you ever get the impression that ssl certs are a dark art?
12:04 ranguard please try now
12:04 ranguard (probably broken it differently!)
12:05 ranguard pokki: ?
12:05 haarg working for me
12:07 * ranguard would like to thank $work for not noticing this is what I've done all morning!
12:07 * ranguard gets back to $day_job!
12:08 ranguard we do need to look at getting a longer term solution (this is just a 90 day free cert)
12:13 BinGOs it looks good. and it has worked for my colleague who was having issues too.
12:14 BinGOs ranguard++
12:15 mo_ pretty sad that they send out the private key by email
12:17 ranguard private key? - they never get the original key?
12:18 ranguard although not sure why they're emailing anything - I downloaded it through their web UI
12:18 ranguard their support was really fast and helpful
12:44 BinGOs we have Comodo certs, but they are actually being bought through JA.net
13:23 pokki ranguard: sorry, was away for lunch break
13:23 pokki ranguard: still the same error, but it looks like this is a Firefox issue (according to the internets)
13:24 ranguard pokki: oh, ok, well I'm not sure what else to do - if you get details please open a ticket
13:24 pokki sure
13:25 pokki well, FWIW, it works in Chromium now
13:25 ranguard \o/
13:51 pokki ranguard: just to check I ssh'd to a debian machine
13:51 pokki $ curl -i https://metacpan.org
13:51 pokki curl: (60) SSL certificate problem: unable to get local issuer certificate
13:51 pokki More details here: http://curl.haxx.se/docs/sslcerts.html
13:51 pokki [snip]
13:51 dipsy [ Search the CPAN - metacpan.org - Perl programming language ]
13:54 pokki I can get the comodo home page fine though, which uses the same root CA but a different intermediate cert
14:25 * rwstauner notices that dipsy doesn't seem to have a cert problem ;-)
15:09 oalders ranguard++ # fixing the cert i forgot to renew
16:34 tianon joined #metacpan
19:43 cooper joined #metacpan
19:44 grantm joined #metacpan
21:08 BinGOs just thought I'd check this evening with chrome and firefox on my mint box at home
21:09 BinGOs chrome fine. firefox bleats that it can't validate the certificate as the issuer is unknown
21:12 oalders BinGOs: OS + version?
21:13 BinGOs Linux Mint 15 Olivia
21:13 BinGOs Firefox 26.0
21:14 oalders BinGOs: care to add that here? https://github.com/CPAN-API/metacpan-web/issues/1034
21:14 dipsy [ metacpan.org seems to use invalid or incomplete certificate · Issue #1034 · CPAN-API/metacpan-web · GitHub ]
21:15 BinGOs done.
21:16 oalders BinGOs++
21:17 BinGOs I'm having a look at what openssl s_client is telling me and what chrome is telling me.
21:18 BinGOs there are 5 certificates in the chain, according to chrome
21:18 BinGOs openssl is only reporting 4
21:19 BinGOs I'll marry the thumbprints and see what is missing.
21:19 oalders thanks! this kind of stuff is a real pain to troubleshoot
21:20 BinGOs I suspect it is one of the intermediates
21:20 BinGOs shockingly is relatively straight-forward cert usage
21:20 BinGOs s!is!this is!
21:22 BinGOs the most fun I have had recently is painstakingly constructing a certificate chain by hand for a fanickity Cisco appliance
21:22 BinGOs which had to be transferred by TFTP and it gave no useful feedback why it didn't like the effing cert
21:23 oalders heh
21:26 BinGOs I believe that the root issuer cert is missing from the chain.
21:27 BinGOs "AddTrust External CA Root"
21:34 daxim joined #metacpan
21:38 oalders should that be in the intermediate cert?
21:39 trs BinGOs: the root issuer doesn't need to be in the chain, because it will be distributed with the list of trusted roots on clients.
21:39 trs the issue appears to be one of chain order: http://zulutango.net/~tom/paste/2014-01-07NVQ058qp-metacpan-ssl-chain
21:39 trs and potentially the mismatch between  i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA and s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
21:40 trs with the numbering in my paste, the order should be 0, 2, 3, 1
21:41 BinGOs oh good call.
21:42 BinGOs I blame this tiny eeepc screen, I couldn't have the two things side by side.
21:44 BinGOs I concur, wrong ordering.
21:45 BinGOs crypto's hard, let's go shopping!
21:48 alh BinGOs++
21:52 oalders what's the fix here? re-ordering the keys in server.crt or is it something else?
21:52 trs the EssentialSSL CA cert is also missing to chain between the metacpan cert and COMODO Certification Authority intermediate
21:53 trs but yeah, reorder keys I believe. I assume you're using nginx not apache?
21:54 trs oalders: you want this order, then insert the missing cert between 0 and 2: http://zulutango.net/~tom/paste/2014-01-07SvsqrKeX-ordered-metacpan-ssl-chain
21:54 trs oalders: you can check what you're getting from the server with: echo QUIT | openssl s_client -connect metacpan.org:443 2>&1 | less
21:55 oalders i had initially just re-ordered the 4 keys but got "SSL_CTX_use_PrivateKey_file("/var/www/metacpan.org/ssl/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)"
21:55 trs and the metacpan cert is first?
21:56 oalders i had just moved key 1 to the end of the file
21:57 oalders to get 0, 2, 3, 1
21:57 oalders but i hadn't inserted the missing cert
21:57 BinGOs I just know that IIS just does this for you automagically :p
21:59 oalders found the EssentialSSL CA cert. i'll try adding that
22:00 trs oalders: you can check the order of the bundle using openssl x509 -noout -text < bundle.crt
22:02 oalders i wish i could make sense of that ;)
22:04 trs ... | grep Subject:
22:05 oalders https://gist.github.com/oalders/98c91a35aab5e2275019
22:05 dipsy [ gist:98c91a35aab5e2275019 ]
22:06 trs oh, maybe it's only showing the first in the chain. I thought it would print out all certs in the input.
22:06 trs hmm.
22:06 oalders i re-ordered the certs and added the EssentialSSL CA cert and i still get the key values mismatch error
22:07 trs oalders: paste the full bundle you put together?
22:07 trs and your nginx conf?
22:07 oalders sure
22:08 * trs just learned about openssl x509's -subject option :)
22:10 trs oalders: what cert issuer was metacpan using before, and would it be better/is it possible to renew that one instead of futzing with the 90day free cert?
22:10 oalders trs: https://gist.github.com/oalders/7175e747025052206863
22:10 dipsy [ gist:7175e747025052206863 ]
22:11 trs oalders: oh damn, you just included the private key
22:11 trs also, there are formatting issues in one of the certs (line break in header)
22:11 oalders well, the private key is in puppet anyway
22:12 BinGOs backpedal!
22:12 trs private key shouldn't be public!
22:13 oalders trs: you mean the extra line break between certs
22:13 oalders yeah, i just noticed a key in puppet
22:13 BinGOs trs: yeah, the clue is in the name isn't it.
22:13 oalders it does make you wonder
22:13 trs oalders: no, sorry, not a line break, but missing header.
22:13 trs the line starts with: "N CERTIFICATE-----"
22:14 trs instead of "-----BEGIN CERTIFICATE---"
22:14 oalders fixed that. doesn't fix the error.  but yeah, maybe we should go with the previous cert provider
22:14 trs empty line shouldn't matter, but maybe it does
22:14 oalders this is just something ranguard whipped up in a hurry while i was still sleeping
22:14 trs nod
22:15 chmrr joined #metacpan
22:15 trs it's only good till april
22:15 trs the previous cert provider will presumably be a) not as much of a pain and b) longer lasting :)
22:16 oalders it's https://www.startssl.com
22:16 dipsy [ StartSSL? Certificates & Public Key Infrastructure ]
22:16 trs but anyway, it's time to generate a new private key and csr and use that to get a new cert anyway.
22:16 oalders yep :)
22:16 trs otherwise "oh hai, I'm decrypting your ssl traffic"
22:18 oalders yeah. the key in puppet is not the one we're using and i've deleted that gist now.
22:18 oalders will start fresh...
22:19 trs oalders++
22:19 oalders trs++, BinGOs++
22:52 oalders so, that key in puppet is a fallback for non-production deployments https://github.com/CPAN-API/metacpan-puppet/blob/master/modules/nginx/manifests/vhost.pp#L42
22:52 dipsy [ metacpan-puppet/modules/nginx/manifests/vhost.pp at master · CPAN-API/metacpan-puppet · GitHub ]
22:52 oalders as ranguard pointed out to me

| Channels | #metacpan index | Today | | Search | Google Search | Plain-Text | summary