View Issue Details

IDProjectCategoryView StatusLast Update
0001517Main CAcert Websitewebsite contentpublic2021-05-11 19:30
Reporterjandd Assigned Toegal  
PriorityhighSeverityfeatureReproducibilityalways
Status solved?Resolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0001517: Rewrite Rules for new class3 certificate
DescriptionThe new class3 certificate that has been issued on Monday 2021-04-19 contains the following URLs that need to be mapped on the main CAcert.org website:

CRL URI: https://www.cacert.org/class3.crl
CA Issuers: http://www.CAcert.org/class3.crt

The first URL should be mapped to https://crl.cacert.org/class3-revoke.crl and the certificate itself should be made available as http://www.cacert.org/class3.crt.

Please add the following RewriteRule in the https VirtualHost:

Rewrite "^/class3.crl$" "/class3-revoke.crl" [PT]

Please put the certificate cacert_2021.crt as class3_2021.crt into the $DOCUMENT_ROOT/certs folder and add the following RewriteRule in the http VirtualHost

Rewrite "^/class3.crt$" "/certs/class3_2021.crt" [PT]
TagsNo tags attached.
Reviewed byegal, Ted
Test Instructions

Activities

egal

2021-04-25 11:18

administrator   ~0005988

Last edited: 2021-04-25 11:18

Tested in my test environment, Review successful

Ted

2021-05-09 10:03

administrator   ~0005995

Last edited: 2021-05-09 18:55

Hmm, this is a pure config change, so maybe Software Development is (IMHO) not the ideal department to review it... But as we don't have any alternatives I'd agree that a review by Software Development is better than none.

I have not evaluated the necessities of this change, but Jan's proposals sound plausible.

I did not find a "Rewrite" directive in the Apache documentation at http://httpd.apache.org/docs/current/mod/mod_rewrite.html , so I have nothing to review this proposal against. In this context, the review is a FAIL.

Assuming that I did overlook something and "Rewrite" is indeed some alias or abbreveation for the directive "RewriteRule", the rules are sensible, including the [PT] ("Passthrough") flag. For clarity it might be better to explicitly add the L ("last") flag, which is implied by [PT], so I'd propose to make it "[L,PT]" instead. But I don't consider this as critical.

Evaluation of the flags was based on Apache's documentation at https://httpd.apache.org/docs/2.4/rewrite/flags.html

egal

2021-05-10 17:03

administrator   ~0005998

Last edited: 2021-05-10 17:04

The following rules are already active on www.cacert.org to redirect CRL-requests:

  Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl
  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl

So we could avoid adding new redirection for CRL and/or CSR and simply use the existing ones.

But ... we shouldn't forget to change https://www.cacert.org/index.php?id=3 to link to the new certificate

jandd

2021-05-11 07:04

administrator   ~0006000

@egal the existing ones do not cover the URLs mentioned in the new class3 certificate

CRL URI: https://www.cacert.org/class3.crl
CA Issuers: http://www.CAcert.org/class3.crt

We need to make the CRL and certificate available at these places to allow validation by clients that use these certificate fields for discovery.

@Ted you are right. It should be RewriteRule instead of Rewrite and [L,PT] is a good idea indeed

Ted

2021-05-11 07:11

administrator   ~0006001

So, for the "RewriteRule" directive this is a PASS from me.

egal

2021-05-11 08:33

administrator   ~0006002

No objection from my site

egal

2021-05-11 19:29

administrator   ~0006003

Last edited: 2021-05-11 19:30

Added

  RewriteRule "^/class3.crl$" "/class3-revoke.crl" [L,PT]
  RewriteRule "^/class3.crt$" "/certs/class3_2021.crt" [PT]

to all VirtualHosts in cacert.conf (after making a backup of original file).

Installed resigned class3-certificate as

  class3_2021.crt

Restarted Apache and verified downloads (successfully)

Issue History

Date Modified Username Field Change
2021-04-21 20:25 jandd New Issue
2021-04-21 20:25 jandd Assigned To => egal
2021-04-25 11:18 egal Status new => needs review & testing
2021-04-25 11:18 egal Reviewed by => egal
2021-04-25 11:18 egal Note Added: 0005988
2021-04-25 11:18 egal Note Edited: 0005988
2021-05-09 10:03 Ted Note Added: 0005995
2021-05-09 11:15 Ted Note Edited: 0005995
2021-05-09 18:55 Ted Note Edited: 0005995
2021-05-09 18:55 Ted Note Edited: 0005995
2021-05-10 17:03 egal Note Added: 0005998
2021-05-10 17:04 egal Note Edited: 0005998
2021-05-11 07:04 jandd Note Added: 0006000
2021-05-11 07:11 Ted Note Added: 0006001
2021-05-11 07:11 Ted Reviewed by egal => egal, Ted
2021-05-11 08:33 egal Note Added: 0006002
2021-05-11 08:33 egal Status needs review & testing => ready to deploy
2021-05-11 19:29 egal Status ready to deploy => solved?
2021-05-11 19:29 egal Resolution open => fixed
2021-05-11 19:29 egal Note Added: 0006003
2021-05-11 19:30 egal Note Edited: 0006003