From minfrin at redwax.eu Sat Feb 8 15:19:40 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sat, 8 Feb 2020 16:19:40 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_ca v0.2.2 Message-ID: <5C916567-4F49-4974-9B0E-4F6547C3EA58@redwax.eu> Hi all, Calling for a vote to release mod_ca v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? From minfrin at sharp.fm Sat Feb 8 15:20:36 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 8 Feb 2020 16:20:36 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_crl v0.2.3 Message-ID: Hi all, Calling for a vote to release mod_crl v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From minfrin at sharp.fm Sat Feb 8 15:21:07 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 8 Feb 2020 16:21:07 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_csr v0.2.3 Message-ID: <6BC9135B-EF6F-4144-9D3B-DB62A2ECBD60@sharp.fm> Hi all, Calling for a vote to release mod_csr v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From minfrin at redwax.eu Sat Feb 8 15:21:43 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sat, 8 Feb 2020 16:21:43 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_ocsp v0.2.2 Message-ID: <0B48B44B-C4D9-4165-9A2C-3D2E5EC64F75@redwax.eu> Hi all, Calling for a vote to release mod_ocsp v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? From minfrin at redwax.eu Sat Feb 8 15:22:23 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sat, 8 Feb 2020 16:22:23 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_pkcs12 v0.2.2 Message-ID: <43988474-222F-4A63-89B8-1D526F3B68B8@redwax.eu> Hi all, Calling for a vote to release mod_pkcs12 v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? From minfrin at sharp.fm Sat Feb 8 15:23:07 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 8 Feb 2020 16:23:07 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_scep v0.2.3 Message-ID: <45F62DA6-D9A9-409C-B7E7-8FB2329AB02F@sharp.fm> Hi all, Calling for a vote to release mod_scep v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From minfrin at sharp.fm Sat Feb 8 15:23:48 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 8 Feb 2020 16:23:48 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_spkac v0.2.2 Message-ID: Hi all, Calling for a vote to release mod_spkac v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From minfrin at sharp.fm Sat Feb 8 15:24:17 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sat, 8 Feb 2020 16:24:17 +0200 Subject: [rs-dev] [Vote] Release Redwax Server mod_timestamp v0.2.2 Message-ID: <36FD6C85-7EB1-4C21-8482-93C9BF64849C@sharp.fm> Hi all, Calling for a vote to release mod_timestamp v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. [ ] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. To approve the release (+1 is not enough), do the following: - Check out https://source.redwax.eu/svn/dist/rs/dev/ - Run ?make verify? to verify the existing signatures. - Run ?make sign? to add your signature to the list of signatures. - Check in your signatures. Release process is here: https://redwax.eu/rw/releases/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From dirkx at webweaving.org Sun Feb 9 11:12:13 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:13 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_timestamp v0.2.2 In-Reply-To: <36FD6C85-7EB1-4C21-8482-93C9BF64849C@sharp.fm> References: <36FD6C85-7EB1-4C21-8482-93C9BF64849C@sharp.fm> Message-ID: <13C78670-B8AF-4B44-A958-516C252C35C4@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:24, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_timestamp v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:12:18 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:18 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_spkac v0.2.2 In-Reply-To: References: Message-ID: <4FFD86FA-5583-4852-95EE-C44962526A18@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:23, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_spkac v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:12:35 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:35 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_ocsp v0.2.2 In-Reply-To: <0B48B44B-C4D9-4165-9A2C-3D2E5EC64F75@redwax.eu> References: <0B48B44B-C4D9-4165-9A2C-3D2E5EC64F75@redwax.eu> Message-ID: <88588DAD-EBE7-4F9A-A486-2E437AEA1FEF@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:21, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_ocsp v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev > From dirkx at webweaving.org Sun Feb 9 11:12:57 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:57 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_crl v0.2.3 In-Reply-To: References: Message-ID: <18466C51-681E-4DE9-A7D1-937B0BB9C6EA@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:20, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_crl v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:12:30 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:30 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_pkcs12 v0.2.2 In-Reply-To: <43988474-222F-4A63-89B8-1D526F3B68B8@redwax.eu> References: <43988474-222F-4A63-89B8-1D526F3B68B8@redwax.eu> Message-ID: +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:22, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_pkcs12 v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev > From dirkx at webweaving.org Sun Feb 9 11:15:21 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:15:21 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_scep v0.2.3 In-Reply-To: <45F62DA6-D9A9-409C-B7E7-8FB2329AB02F@sharp.fm> References: <45F62DA6-D9A9-409C-B7E7-8FB2329AB02F@sharp.fm> Message-ID: +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:23, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_scep v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:15:31 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:15:31 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_csr v0.2.3 In-Reply-To: <6BC9135B-EF6F-4144-9D3B-DB62A2ECBD60@sharp.fm> References: <6BC9135B-EF6F-4144-9D3B-DB62A2ECBD60@sharp.fm> Message-ID: <3DF53138-F140-4350-AD7D-4D10C01FEBC0@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:21, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_csr v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:13:02 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:13:02 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_ca v0.2.2 In-Reply-To: <5C916567-4F49-4974-9B0E-4F6547C3EA58@redwax.eu> References: <5C916567-4F49-4974-9B0E-4F6547C3EA58@redwax.eu> Message-ID: +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:19, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_ca v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev > From dirkx at webweaving.org Sun Feb 9 11:12:42 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:12:42 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_csr v0.2.3 In-Reply-To: <6BC9135B-EF6F-4144-9D3B-DB62A2ECBD60@sharp.fm> References: <6BC9135B-EF6F-4144-9D3B-DB62A2ECBD60@sharp.fm> Message-ID: <1D58BE48-A0B6-4834-AF8C-24D5042F2755@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:21, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_csr v0.2.3 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev From dirkx at webweaving.org Sun Feb 9 11:15:40 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:15:40 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_ca v0.2.2 In-Reply-To: <5C916567-4F49-4974-9B0E-4F6547C3EA58@redwax.eu> References: <5C916567-4F49-4974-9B0E-4F6547C3EA58@redwax.eu> Message-ID: <4D299BC7-A37B-4D3E-AC1E-2E1C01FCDFB4@webweaving.org> +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:19, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_ca v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev > From minfrin at sharp.fm Sun Feb 9 11:33:00 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 9 Feb 2020 12:33:00 +0200 Subject: [rs-dev] CI update - Bamboo now builds for CentOS8 and Interop Message-ID: <85100AAA-3126-4EEE-9703-C924D8D55417@sharp.fm> Hi all, An update on continuous integration - we now build Redwax for CentOS7, CentOS8, and a special version of CentOS8 that will auto-build the version of Redwax to be used on the new https://interop.redwax.eu site. https://ci.redwax.eu/browse/RS-MODCA-40 As expected, all builds triggered on commit. Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From dirkx at webweaving.org Sun Feb 9 11:15:26 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 9 Feb 2020 11:15:26 +0100 Subject: [rs-dev] [Vote] Release Redwax Server mod_pkcs12 v0.2.2 In-Reply-To: <43988474-222F-4A63-89B8-1D526F3B68B8@redwax.eu> References: <43988474-222F-4A63-89B8-1D526F3B68B8@redwax.eu> Message-ID: +1 from me; have signed the release already. Dw. > On 8 Feb 2020, at 15:22, Graham Leggett via rs-dev wrote: > > Hi all, > > Calling for a vote to release mod_pkcs12 v0.2.2 at https://source.redwax.eu/svn/dist/rs/dev/. > > [ ] +1: It's not just good, it's good enough! > [ ] +0: Let's have a talk. > [ ] -1: There's trouble in paradise. Here's what's wrong. > > To approve the release (+1 is not enough), do the following: > > - Check out https://source.redwax.eu/svn/dist/rs/dev/ > - Run ?make verify? to verify the existing signatures. > - Run ?make sign? to add your signature to the list of signatures. > - Check in your signatures. > > Release process is here: https://redwax.eu/rw/releases/ > > Regards, > Graham > ? > > _______________________________________________ > rs-dev mailing list > rs-dev at redwax.eu > https://redwax.eu/mailman/listinfo/rs-dev > From dirkx at webweaving.org Sat Feb 15 21:33:16 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sat, 15 Feb 2020 21:33:16 +0100 Subject: [rs-dev] CRL working nicely - hitting an issue on OCSP Message-ID: <2985E9B3-D7B2-4657-88B1-7D51D0320EE5@webweaving.org> Got a better range of tests now on CRLs(attached in their NIX version; have a variation for FreeBSD). But OCSP has me stumped. Config as per below 'gen.sh' script (which sort of assumes debian/ubuntu apache locations). Salient parts are: CASimpleCertificate $dir/ca.pem CACRLCertificateRevocationList "/root/web/ca-users-crl.pem" which contains cert 3 and 4 recoved. This works fine with the CRL responder. For the OCSP responder I have: SetHandler ocsp OcspSigningCertificate "$dir/ca-users.pem" OcspSigningKey "$dir/ca-users.pem" and then a query for cert 4 (which is revoked gives me): openssl ocsp -issuer web/ca-users.pem -cert web/person-malory.pem -url https://site.local/ocsp -resp_text OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = NL, ST = Zuid-Holland, L = Leiden, O = Cleansing Enterprises B.V, CN = OCSP Department Produced At: Feb 15 20:03:15 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1 Issuer Key Hash: 625D467B5F4398133316AFA3107B5048FC1E81EA Serial Number: 04 Cert Status: unknown This Update: Feb 15 20:03:15 2020 GMT ... Response verify OK /root/web/person-malory.pem: unknown This Update: Feb 15 20:03:15 2020 GMT With openssl x509 -noout -ocspid -in web/ca-users.pem Subject OCSP hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1 Public key OCSP hash: 625D467B5F4398133316AFA3107B5048FC1E81EA openssl x509 -in web/person-malory.pem -noout -text ... X509v3 Subject Key Identifier: 62:2D:1C:95:90:8A:2B:35:B0:6B:3B:A1:A6:1D:D3:37:3E:C7:3D:0B ... confirming that ca-users.pem is in deed the right issuer; and that the cert is issued by this ca; and so on. But still getting '/root/web/person-malory.pem: unknown' Does that ring a bell ? Dw. #!bash set -e set x dir=`pwd`/web P=/usr mkdir -m 0700 -p $dir # We use a fairly 'valid' DN; as to not having to foil the default # checks for things like '2 char' country codes, etc which are in # the standard openssl.conf. # basedn="/C=NL/ST=Zuid-Holland/L=Leiden/O=Cleansing Enterprises B.V" # Generating CA - and use that to sign a sign two sub CAs. # One that issues web server certs (that we'll use as a server) # and one that issues certificates to our users. # $P/bin/openssl req -new -x509 -nodes -newkey rsa:4096 \ -extensions v3_ca \ -subj "$basedn/CN=CA" \ -out $dir/ca.pem -keyout $dir/ca.key # Now create our two sub CAs. One for the services and one for the users. # And sign each with the above root CA key. # # We specify 'nodes' to not encrypt the private keys; as to not # need human interaction (typing in the password) during webserver # startup. # cat > $dir/extfile.cnf < $dir/extfile.cnf < $dir/chain-web.pem cat $dir/ca-users.pem $dir/ca.pem > $dir/chain-user.pem cat $dir/ocsp.pem $dir/ca.pem > $dir/chain-ocsp.pem cat $dir/ca.pem $dir/ca-*.pem $dir/ocsp.pem > $dir/chain.pem # Somewhat anoyingly - the CRL fetch of openssl ignores the CA settings; # and only looks at the hashed-path-dir. So we make one of the few we need. # mkdir -p $dir/hashed for cf in $dir/ca.pem $dir/ca-web.pem $dir/ca-users.pem $dir/ocsp.pem do ln $cf $dir/hashed/`openssl x509 -noout -hash -in $cf`.0 done # Use the CA Web sub ca to sign a localhost cert. We keep this very simple; a # more realistic example would set all sort of x509v3 extensions; such as an # key IDs and SubjectAltNames. # $P/bin/openssl req -new -nodes -newkey rsa:4096 -keyout $dir/server.key \ -subj "$basedn/CN=site.local" \ -out $dir/server.csr $P/bin/openssl x509 -req -days 14 -set_serial $RANDOM \ -CA $dir/ca-web.pem -CAkey $dir/ca-web.key \ -in $dir/server.csr \ -out $dir/server.pem rm $dir/server.csr # SSLCertificateChainFile was obsoleted in apache 2.4.8 - its role taken over by # having them concatenated into SSLCertificateFile. So we create that here; sorted # from leaf to root. cat $dir/server.pem $dir/ca-users.pem $dir/ca.pem > $dir/server-and-chain.pem # We know longer need the Web CA key; but we do keep the ca-users key; as that # is what the service needs to sign certificate requests. # rm $dir/ca-web.key # Set up a minimal CA config that can create & revoke certicates. And include # in the generated certs the vaiorus OCSP and CRL endpoints for this demo. # mkdir -p $dir/certs $dir/crl $dir/newcerts touch $dir/index.txt echo 01 > $dir/serial.txt echo 01 > $dir/crlnumber.txt cat > $dir/openssl.cnf < $dir/docroot/index.html cat > /etc/apache2/sites-enabled/x.conf << EOM LoadModule ca_module /usr/lib/apache2/modules/mod_ca.so LoadModule ca_crl_module /usr/lib/apache2/modules/mod_ca_crl.so LoadModule crl_module /usr/lib/apache2/modules/mod_crl.so LoadModule ca_simple_module /usr/lib/apache2/modules/mod_ca_simple.so LoadModule ocsp_module /usr/lib/apache2/modules/mod_ocsp.so CACRLCertificateRevocationList "$dir/ca-users-crl.pem" ServerName site.local # Listen 127.0.0.1:443 SSLEngine on SSLCertificateFile "$dir/server.pem" SSLCertificateKeyFile "$dir/server.key" SSLCertificateChainFile "$dir/chain-web.pem" Require all granted options all SetHandler crl CASimpleTime on CASimpleSerialRandom on CASimpleAlgorithm RSA CASimpleCertificate $dir/ca.pem SetHandler ocsp OcspSigningCertificate "$dir/ca-users.pem" OcspSigningKey "$dir/ca-users.key" EOM apachectl restart set -x openssl ocsp -issuer $dir/ca-users.pem -cert $dir/person-malory.pem -cert $dir/person-alice.pem -cert $dir/person-bob.pem -cert $dir/person-charlie.pem -url https://site.local/ocsp -resp_text openssl x509 -in $dir/ca-users.pem -noout -ocspid openssl x509 -in web/ca-users.pem -noout -text | grep -A1 ' X509v3 Subject Key Identifier:' openssl x509 -in web/person-alice.pem -noout -text | grep -A1 ' X509v3 Subject Key Identifier:' root at 98cd883c6fb4:~# -------------- next part -------------- From dirkx at webweaving.org Sat Feb 15 22:27:32 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sat, 15 Feb 2020 22:27:32 +0100 Subject: [rs-dev] CRL working nicely - hitting an issue on OCSP In-Reply-To: <2985E9B3-D7B2-4657-88B1-7D51D0320EE5@webweaving.org> References: <2985E9B3-D7B2-4657-88B1-7D51D0320EE5@webweaving.org> Message-ID: On 15 Feb 2020, at 21:33, Dirk-Willem van Gulik via rs-dev wrote: > Got a better range of tests now on CRLs(attached in their NIX version; have a variation for FreeBSD). > > But OCSP has me stumped. Config as per below 'gen.sh' script (which sort of assumes debian/ubuntu apache locations). > > Salient parts are: > > CASimpleCertificate $dir/ca.pem > CACRLCertificateRevocationList "/root/web/ca-users-crl.pem" > > which contains cert 3 and 4 recoved. This works fine with the CRL responder. For the OCSP responder I have: > > > SetHandler ocsp > OcspSigningCertificate "$dir/ca-users.pem" > OcspSigningKey "$dir/ca-users.pem" > > > and then a query for cert 4 (which is revoked gives me): > > openssl ocsp -issuer web/ca-users.pem -cert web/person-malory.pem -url https://site.local/ocsp -resp_text > > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = NL, ST = Zuid-Holland, L = Leiden, O = Cleansing Enterprises B.V, CN = OCSP Department > Produced At: Feb 15 20:03:15 2020 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1 > Issuer Key Hash: 625D467B5F4398133316AFA3107B5048FC1E81EA > Serial Number: 04 > Cert Status: unknown > This Update: Feb 15 20:03:15 2020 GMT > ... > Response verify OK > /root/web/person-malory.pem: unknown > This Update: Feb 15 20:03:15 2020 GMT > > With > > openssl x509 -noout -ocspid -in web/ca-users.pem > Subject OCSP hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1 > Public key OCSP hash: 625D467B5F4398133316AFA3107B5048FC1E81EA > > openssl x509 -in web/person-malory.pem -noout -text > ... X509v3 Subject Key Identifier: > 62:2D:1C:95:90:8A:2B:35:B0:6B:3B:A1:A6:1D:D3:37:3E:C7:3D:0B > ... > > confirming that ca-users.pem is in deed the right issuer; and that the cert is issued by this ca; and so on. > > But still getting '/root/web/person-malory.pem: unknown' Ok - it should have rung a bell - the issue was that CASimpleCertificate was pointing to the wrong CA - so our poor OCSP responder never recognized it properly. Apologies for the noise ! Dw. From minfrin at sharp.fm Sun Feb 16 01:26:48 2020 From: minfrin at sharp.fm (Graham Leggett) Date: Sun, 16 Feb 2020 02:26:48 +0200 Subject: [rs-dev] Interop: Redwax mod_scep and Mikrotik Routerboard Message-ID: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> Hi all, There is a new addition to the interop site - an example of interoperability between mod_scep and the SCEP client available on the Mikrotik Routerboard. https://interop.redwax.eu/rs/scep/ Regards, Graham ? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5014 bytes Desc: not available URL: From dirkx at webweaving.org Sun Feb 16 10:56:12 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 16 Feb 2020 10:56:12 +0100 Subject: [rs-dev] Interop: Redwax mod_scep and Mikrotik Routerboard In-Reply-To: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> References: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> Message-ID: <0DA074D7-B77E-4685-86AF-454EA1B0E2A7@webweaving.org> On 16 Feb 2020, at 01:26, Graham Leggett via rs-dev wrote: > There is a new addition to the interop site - an example of interoperability between mod_scep and the SCEP client available on the Mikrotik Routerboard. > > https://interop.redwax.eu/rs/scep/ Nice - I'll test it against the cisco router, Dw. From dirkx at webweaving.org Sun Feb 16 12:22:01 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 16 Feb 2020 12:22:01 +0100 Subject: [rs-dev] OCSP test case also fixed (for nixos that is) Message-ID: <2AAF9FE4-935C-4ACE-8A77-79E594413305@webweaving.org> Graham, OCSP test case now also decent. The work around was easy (openssl seems to silently add the issuer trusted cert to the main CA -and- not check the https URL it fetches the /ocsp from). Dw. https://github.com/dirkx/nixpkgs/blob/797e03974f2df01b554e7c18870bb290f9c1285e/nixos/tests/redwax-revoke-ocsp.nix From minfrin at redwax.eu Sun Feb 16 19:30:45 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sun, 16 Feb 2020 20:30:45 +0200 Subject: [rs-dev] Interop: Redwax mod_scep and Mikrotik Routerboard In-Reply-To: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> References: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> Message-ID: <779A5A2B-0174-440E-A7B0-3BCC8798C4D2@redwax.eu> On 16 Feb 2020, at 02:26, Graham Leggett via rs-dev wrote: > There is a new addition to the interop site - an example of interoperability between mod_scep and the SCEP client available on the Mikrotik Routerboard. > > https://interop.redwax.eu/rs/scep/ A further update - we now have an interoperate example using mobileconfig files and the Apple Configurator on MacOS and iOS. Regards, Graham ? From dirkx at webweaving.org Sun Feb 16 19:48:07 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Sun, 16 Feb 2020 19:48:07 +0100 Subject: [rs-dev] Interop: Redwax mod_scep and Mikrotik Routerboard In-Reply-To: <779A5A2B-0174-440E-A7B0-3BCC8798C4D2@redwax.eu> References: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> <779A5A2B-0174-440E-A7B0-3BCC8798C4D2@redwax.eu> Message-ID: > On 16 Feb 2020, at 19:30, Graham Leggett via rs-dev wrote: > > On 16 Feb 2020, at 02:26, Graham Leggett via rs-dev wrote: > >> There is a new addition to the interop site - an example of interoperability between mod_scep and the SCEP client available on the Mikrotik Routerboard. >> >> https://interop.redwax.eu/rs/scep/ > > A further update - we now have an interoperate example using mobileconfig files and the Apple Configurator on MacOS and iOS. Nice ! We may need to tell people to remove the .xml when saving it (so that double clicking it after download works). And perhaps add to the instructions; once you've done this - go to `Keychain Access', select `My Certificates' and you should see a certificate like below freshly issued. Note that it is only valid for one day - so you can check the automatic update tomorrow :) Dw. From minfrin at redwax.eu Sun Feb 16 21:24:01 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Sun, 16 Feb 2020 22:24:01 +0200 Subject: [rs-dev] Interop: Redwax mod_scep and Mikrotik Routerboard In-Reply-To: References: <6115073C-846B-4AFB-A3ED-512F9C6759A3@sharp.fm> <779A5A2B-0174-440E-A7B0-3BCC8798C4D2@redwax.eu> Message-ID: <23AA24AF-D8A7-429E-8588-25FF252A4626@redwax.eu> On 16 Feb 2020, at 20:48, Dirk-Willem van Gulik wrote: >> A further update - we now have an interoperate example using mobileconfig files and the Apple Configurator on MacOS and iOS. > > Nice ! We may need to tell people to remove the .xml when saving it (so that double clicking it after download works). > > And perhaps add to the instructions; once you've done this - go to `Keychain Access', select `My Certificates' and you should see a certificate like below freshly issued. Note that it is only valid for one day - so you can check the automatic update tomorrow :) Screenshot has been added to https://interop.redwax.eu/rs/scep/, and the proper mimetype is in place so that downloads trigger the profile install. The Mikrotik I tested with originally had a bug where it was replacing the certificate once per minute. One firmware update later and it was being updated once a day :) Regards, Graham ? From minfrin at redwax.eu Sun Feb 23 23:52:29 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Mon, 24 Feb 2020 00:52:29 +0200 Subject: [rs-dev] New module: mod_cert Message-ID: <9D4ECA0E-5EC2-4303-9047-F34F88F2EF3B@redwax.eu> Hi all, To make it easier to gain access to and download CA certificates in a specific Redwax installation, the mod_cert module has been added that allows access to CA certificates as follows: Require all granted SetHandler cert-ca A concrete example of this in action is at the interop site: https://interop.redwax.eu/test/simple/ca.der Documentation and a formal release to follow. Regards, Graham ? From dirkx at webweaving.org Mon Feb 24 19:07:02 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Mon, 24 Feb 2020 18:07:02 +0000 Subject: [rs-dev] Fwd: [NixOS/nixpkgs] redwax-modules: 0.2.1 -> 0.2.2/0.2.3 (#80182) References: Message-ID: <4E62BE7C-AEF1-4E74-AF8C-587A8C2D1201@webweaving.org> Just FYI - updates have gone into the main line at NixOS. Demo's not yet, Dw. > Begin forwarded message: > > From: Aaron Andersen > Subject: Re: [NixOS/nixpkgs] redwax-modules: 0.2.1 -> 0.2.2/0.2.3 (#80182) > Date: 23 February 2020 at 00:03:22 GMT > To: NixOS/nixpkgs > Cc: Dirk-Willem van Gulik , Mention > Reply-To: NixOS/nixpkgs > > Merged #80182 into master. > > ? > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub , or unsubscribe . > From dirkx at webweaving.org Mon Feb 24 19:08:59 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Mon, 24 Feb 2020 18:08:59 +0000 Subject: [rs-dev] New module: mod_cert In-Reply-To: <9D4ECA0E-5EC2-4303-9047-F34F88F2EF3B@redwax.eu> References: <9D4ECA0E-5EC2-4303-9047-F34F88F2EF3B@redwax.eu> Message-ID: <2D161494-7447-43EC-BDEF-AECB02097C4B@webweaving.org> On 23 Feb 2020, at 22:52, Graham Leggett via rs-dev wrote: > To make it easier to gain access to and download CA certificates in a specific Redwax installation, the mod_cert module has been added that allows access to CA certificates as follows: > ... > https://interop.redwax.eu/test/simple/ca.der Ah lovely - I was looking at this the other day - and started doing something similar for CRL's. Am wondering if we need a discovery mechanism - so that anything that 'getca' and similar give access to - can be auto-exposed. Dw. From minfrin at redwax.eu Tue Feb 25 00:03:35 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Tue, 25 Feb 2020 01:03:35 +0200 Subject: [rs-dev] New module: mod_cert In-Reply-To: <2D161494-7447-43EC-BDEF-AECB02097C4B@webweaving.org> References: <9D4ECA0E-5EC2-4303-9047-F34F88F2EF3B@redwax.eu> <2D161494-7447-43EC-BDEF-AECB02097C4B@webweaving.org> Message-ID: <85881B51-9E2D-4609-AD68-F578E6DDBDBF@redwax.eu> On 24 Feb 2020, at 20:08, Dirk-Willem van Gulik wrote: >> To make it easier to gain access to and download CA certificates in a specific Redwax installation, the mod_cert module has been added that allows access to CA certificates as follows: >> ... >> https://interop.redwax.eu/test/simple/ca.der > > Ah lovely - I was looking at this the other day - and started doing something similar for CRL's. > > Am wondering if we need a discovery mechanism - so that anything that 'getca' and similar give access to - can be auto-exposed. Currently at its most basic, mod_cert exposes the getca and getnextca hooks. Very shortly mod_pkcs7 will do the same thing, but as pkcs7 responses. The next step is to create a certfetch hook to match the certstore hook, and have certs returned by transaction id or serial number via mod_cert/mod_pkcs7. This also is a prerequisite for supporting delayed certificate signing in scep, as we need a way to return a cert when eventually signed. Regards, Graham ? From minfrin at redwax.eu Wed Feb 26 01:47:14 2020 From: minfrin at redwax.eu (Graham Leggett) Date: Wed, 26 Feb 2020 02:47:14 +0200 Subject: [rs-dev] New module: mod_pkcs7 Message-ID: Hi all, Similar to mod_cert, and to make it easier to gain access to and download CA certificates in a specific Redwax installation, the mod_pkcs7 module has been added that allows access to CA certificates as follows: Require all granted SetHandler pkcs7-ca A concrete example of this in action is at the interop site: https://interop.redwax.eu/test/simple/ca.p7b Documentation is at https://redwax.eu/rs/docs/latest/mod/mod_pkcs7.html Regards, Graham ?