This post originated from an RSS feed registered with Java Buzz by Elliotte Rusty Harold. Original Post: Converting to HTTPS Friction Log Day 2 Feed Title: Mokka mit Schlag Feed URL: http://www.elharo.com/blog/feed/atom/? Feed Description: Ranting and Raving Latest Java Buzz Posts Latest Java Buzz Posts by Elliotte Rusty Harold Latest Posts From Mokka mit Schlag

Yesterday was a bust. However I did establish:

1. Pair.com still doesn’t take security seriously. They eventually got back to me to confirm the RSA keys, but they don’t publish the public keys for their login servers on a secure channel.
2. Google’s efforts to promote HTTPS on the Web don’t include HTTPS for GCS buckets served through custom domains.
3. AWS can serve HTTPS if you use CloudFront, but that might cost as much as $600 a month. (Again, it may well be cheaper, but Amazon’s docs are incomplete and confusing enough that I don’t feel I would know until I got the bill. Update: it almost certainly is cheaper provided you use SNI.)

Let’s see what we can do today.

Google Cloud Launcher looks interesting. They install my dependencies but do they autoupdate them for me? Do they support HTTPS? The docs don’t say, so far as I can see.

Hmm, looks like the answer is no, though I had to go to a third party website to find that out.

Also, it looks like no CNAME based solution is going to work for HTTPS.

Let’s try this with pair again. Hmm, at least these days they’ve figured out that SSL isn’t just for ecommerce. (The last time I talked to them about this, the support rep insisted that I was foolish for wanting to use SSL since I wasn’t taking credit cards, and wouldn’t help me.) However their page is still inaccurate (i.e. refers to other things on the their site that don’t exist) and they still charge way too much for certificates ($59 per year per host.) But it looks like I may be able to use a different cert, but I can’t self service. OK, support request sent. (10:42 AM).

Meanwhile let’s see if I can get a cert from Let’s Encrypt. Let’s Encrypt still seems to expect you’re running their software on the host, though their may be a manual option if you ignore a lot of their instructions. (Poor and incomplete docs are a real problem in this space.)

~$ brew install certbot
Error: No available formula for certbot 
~$ brew update
warning: inexact rename detection was skipped due to too many files.
warning: you may want to set your diff.renameLimit variable to at least 2379 and retry the command.
Updated Homebrew from 591ee629 to 5a9e19f9.
==> Deleted Formula
...
~$ brew install certbot
Error: Unknown command: install
~$ brew update
remote: Counting objects: 946, done.
remote: Compressing objects: 100% (883/883), done.
...
~$ brew install certbot
==> Installing dependencies for certbot: pkg-config, libxml2, readline, augeas, dialog, openssl@1.1
==> Installing certbot dependency: pkg-config
...
    % (command_desc, proc.returncode, cwd))
InstallationError: Command "/usr/local/Cellar/certbot/0.9.3_1/libexec/bin/python -u -c "import setuptools, tokenize;__file__='/private/tmp/pip-dG7vUP-build/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-k37qHn-record/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/Cellar/certbot/0.9.3_1/libexec/include/site/python2.7/cffi" failed with error code 1 in /private/tmp/pip-dG7vUP-build/

/usr/local/Homebrew/Library/Homebrew/exceptions.rb:361:in `dump': uninitialized constant OS::ISSUES_URL (NameError)
	from /usr/local/Homebrew/Library/Homebrew/brew.rb:133:in `rescue in '
	from /usr/local/Homebrew/Library/Homebrew/brew.rb:31:in `'
~$ sudo brew install certbot
Password:
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system

(Seriously? We need to take the command line out of this folks. You ought to be able to get a certificate purely from the Web.)

2:07 PM Back from lunch. Manged to get certbot installed on a different laptop, though further reading of the documentation makes me concerned that I have to renew the certificates every 90 days. I want fire and forget.

Over lunch I realized I could just use App Engine Standard, which does support static HTML. Probably not quite as cost efficient as GCS and certainly not as easy to update, but might serve. Also on further research it looks like AWS may be not as expensive as I feared.

Let’s try amazon first. A little complex, but there are good instructions which is reassuring. However uploading a folder requires a Java applet!? I could probably make that work, but it’s inconvenient enough for me to try App Engine instead. (Note: very unfair comparison. Since App Engine is my 80% day job, I know way more about navigating the ins and outs of the Google Cloud Console than the AWS console.)

4:48 PM. Files are uploaded and being served from appspot.com. First I had to reverse engineer how I built the static files for this website, since I hadn’t touched it for several years. Then, I had to code a patch for a bug in the Eclipse plug-in I was dogfooding to do the upload.

Next step is to see if I can serve it from my domain instead, but still with https.