View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001517 | Main CAcert Website | website content | public | 2021-04-21 20:25 | 2021-05-11 19:30 |
| Reporter | jandd | Assigned To | egal | ||
| Priority | high | Severity | feature | Reproducibility | always |
| Status | solved? | Resolution | fixed | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Summary | 0001517: Rewrite Rules for new class3 certificate | ||||
| Description | The new class3 certificate that has been issued on Monday 2021-04-19 contains the following URLs that need to be mapped on the main CAcert.org website: CRL URI: https://www.cacert.org/class3.crl CA Issuers: http://www.CAcert.org/class3.crt The first URL should be mapped to https://crl.cacert.org/class3-revoke.crl and the certificate itself should be made available as http://www.cacert.org/class3.crt. Please add the following RewriteRule in the https VirtualHost: Rewrite "^/class3.crl$" "/class3-revoke.crl" [PT] Please put the certificate cacert_2021.crt as class3_2021.crt into the $DOCUMENT_ROOT/certs folder and add the following RewriteRule in the http VirtualHost Rewrite "^/class3.crt$" "/certs/class3_2021.crt" [PT] | ||||
| Tags | No tags attached. | ||||
| Reviewed by | egal, Ted | ||||
| Test Instructions | |||||
|
|
Tested in my test environment, Review successful |
|
|
Hmm, this is a pure config change, so maybe Software Development is (IMHO) not the ideal department to review it... But as we don't have any alternatives I'd agree that a review by Software Development is better than none. I have not evaluated the necessities of this change, but Jan's proposals sound plausible. I did not find a "Rewrite" directive in the Apache documentation at http://httpd.apache.org/docs/current/mod/mod_rewrite.html , so I have nothing to review this proposal against. In this context, the review is a FAIL. Assuming that I did overlook something and "Rewrite" is indeed some alias or abbreveation for the directive "RewriteRule", the rules are sensible, including the [PT] ("Passthrough") flag. For clarity it might be better to explicitly add the L ("last") flag, which is implied by [PT], so I'd propose to make it "[L,PT]" instead. But I don't consider this as critical. Evaluation of the flags was based on Apache's documentation at https://httpd.apache.org/docs/2.4/rewrite/flags.html |
|
|
The following rules are already active on www.cacert.org to redirect CRL-requests: Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl So we could avoid adding new redirection for CRL and/or CSR and simply use the existing ones. But ... we shouldn't forget to change https://www.cacert.org/index.php?id=3 to link to the new certificate |
|
|
@egal the existing ones do not cover the URLs mentioned in the new class3 certificate CRL URI: https://www.cacert.org/class3.crl CA Issuers: http://www.CAcert.org/class3.crt We need to make the CRL and certificate available at these places to allow validation by clients that use these certificate fields for discovery. @Ted you are right. It should be RewriteRule instead of Rewrite and [L,PT] is a good idea indeed |
|
|
So, for the "RewriteRule" directive this is a PASS from me. |
|
|
No objection from my site |
|
|
Added RewriteRule "^/class3.crl$" "/class3-revoke.crl" [L,PT] RewriteRule "^/class3.crt$" "/certs/class3_2021.crt" [PT] to all VirtualHosts in cacert.conf (after making a backup of original file). Installed resigned class3-certificate as class3_2021.crt Restarted Apache and verified downloads (successfully) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-04-21 20:25 | jandd | New Issue | |
| 2021-04-21 20:25 | jandd | Assigned To | => egal |
| 2021-04-25 11:18 | egal | Status | new => needs review & testing |
| 2021-04-25 11:18 | egal | Reviewed by | => egal |
| 2021-04-25 11:18 | egal | Note Added: 0005988 | |
| 2021-04-25 11:18 | egal | Note Edited: 0005988 | |
| 2021-05-09 10:03 | Ted | Note Added: 0005995 | |
| 2021-05-09 11:15 | Ted | Note Edited: 0005995 | |
| 2021-05-09 18:55 | Ted | Note Edited: 0005995 | |
| 2021-05-09 18:55 | Ted | Note Edited: 0005995 | |
| 2021-05-10 17:03 | egal | Note Added: 0005998 | |
| 2021-05-10 17:04 | egal | Note Edited: 0005998 | |
| 2021-05-11 07:04 | jandd | Note Added: 0006000 | |
| 2021-05-11 07:11 | Ted | Note Added: 0006001 | |
| 2021-05-11 07:11 | Ted | Reviewed by | egal => egal, Ted |
| 2021-05-11 08:33 | egal | Note Added: 0006002 | |
| 2021-05-11 08:33 | egal | Status | needs review & testing => ready to deploy |
| 2021-05-11 19:29 | egal | Status | ready to deploy => solved? |
| 2021-05-11 19:29 | egal | Resolution | open => fixed |
| 2021-05-11 19:29 | egal | Note Added: 0006003 | |
| 2021-05-11 19:30 | egal | Note Edited: 0006003 |
