GlobalSign Free SSL request

GlobalSign gives free SSL certs to non-commercial free software projects (can a conference be free software?). I already bought a cheap 1 year cert, but I sent GlobalSign a message in case they’re handing out wildcard certs. The confirmation email is below, and I’ll keep you all updated.

Dear Samer Masterson,

Thank you for submitting your question to us. Case #01066343: “OpenSource SSL Request” has been created and GlobalSign Customer Service will respond to you shortly.

Thank you,
Customer Service Team GlobalSign

Your Case Request was :

EmacsConf is a non-commercial conference for the Emacs free software/open source text editor. We’re using emacsconf2015.org temporarily, and we’ll be switching to emacsconf.org as soon
as we have control of the url (in talks with the owner now).

I guess conferences don’t count as free software? That’s alright, we can get free certs elsewhere.

GlobalSign Support support@globalsign.com writes:

Hi ,

Thank you for submitting an application to receive a free SSL Certificate for your Open Source Project. I’m sorry to inform you that at this time we cannot grant you a free SSL certificate because it does not meet all of our requirements.

Our Requirements are as follows:

Must be licensed with a license approved by the Open Source Initiative
Project must be actively maintained
Order must meet all vetting requirements
Follow industry best practices in configuring your SSL and get an “A” when tested with the SSL Checker
Agree to the standard Subscriber Agreement
Not be a site that is also used for commercial purposes

Thank you for your cooperation. If you make the appropriate changes to your project please feel free to apply again.

Hmm, seems they didn’t even take time to explain exactly why. It’s fine though. I’ll get some startssl certs for existing subdomains on emacsconf2015 for now. Hopefully by summer, Let’s Encrypt is ready.

@samer Can you set up inboxes or aliases for either postmaster@emacsconf2015.org or webmaster@emacsconf2015.org (need to verify domain for certs)?

Amin, startssl has obnoxious policies of its own and the free certs may be just for personal use and in any case they don’t have free wildcards. But if you can get some certs from them and don’t mind their requirements, that’s great.

Samer, did you specify a license in the Globalsign form? I suspect they check that field somewhat mechanistically. I guess we could always release some software as part of the conference. But they sound obnoxious anyway. I wonder if Let’s Encrypt will have wildcards.

It also seems fine to me if we just funnel all the services through a single domain. We’re proxying it all through one nginx instance anyway, if I understand correctly.

I think I can set up mail forwarding through fastmail (I have the fancy account there) if you don’t already have an email server of some type. It unfortunately looks like mxroute.com has eliminated their super cheap plans.

yeah startssl’s free ca got removed from my trust store after the Heartbleed thing.

@phr Oh, I don’t really like startssl either, but it’s the only free (gratis) one; and yeah I do know wildcards are paid even with startssl.

Maybe we can go with startssl certs (for each subdomain) for now, and if we decide 100% on which domain to use, I’ll get some proper certs.

So, for single domain, you propose we do emacsconf2015.org/{wiki,git,etc} instead of subdomains?

/wiki, /git etc seem ok to me. I basically agree that subdomains are better so it’s just a question of whether the issues regarding multiple certs are more annoying than using a single domain. If you do get startssl certs I don’t see why not keep using them. Did they actually get clobbered by heartbleed? It’s mostly the issuing policy that bugs me. If we don’t use startssl that probably means Comodo, which is bad in plenty of its own ways, but it’s the cheapest ($5/year) that I know of. I’m presuming the $2 certificate that Samer got is limited to just one cert.

I don’t mind getting multiple certs for subdomains, but going with subdirectories is a bit easier. What do you all think?

Hmm, I don’t really know, @rrix englighten us?

Since we’re still on a temporary domain (emacsconf2015) anyway, let’s go with subdirectories for now. We can revisit if we get emacsconf. One issue is if we keep serving through one ip address, to do subdomains we’d have to use SNI, which fails with some very old browsers/OS’s. I don’t know how much we care about that. It may have been a bigger issue in the past than at present.

Yup.

I pointed them to the AGPLv3 license we’re using for the RoR site.

That’s probably easiest. @aminb do you want to move gogs over to emacsconf2015.org/git? You need to take the section for “git.emacsconf2015.org” and move the proxy-pass into the server for “emacsconf2015.org” under “location /git”. There’s redirect code in “/etc/nginx/sites-available/emacsconf.org” which you can use to 301 redirect git.emacsconf2015.org to emacsconf2015.org/git. I can move the rest of the sites over.

I’ve been using mailgun for this. We can set up fastmail if mailgun is too limiting, but it does have the ability to forward mail.

Thanks, Samer. The subdomain redirects are useful though unfortunately they can’t work through https. Oh well.

@samer I tried to move gogs to /git, but for some reason, gogs throws a 404 on every page. It’s probably some stupid simple mistake on my part but I couldn’t figure it out.

Anyways, I’ve added code in nginx config for /git and for 301 redir, but I’ve commented it out. Please try, take a look and see if you know what’s going on.

They got clobbered in that very few people paid 20$ to revoke and reissue their certs, so there are many many certs from startssl that could have been heartbled. They refused to reissue and that makes me nervous to trust them both as a business decision and as a technical factor.

Ah good point, I had forgotten about that but remember it now. I wonder how Let’s Encrypt will handle the issue.