Author Archives: Jan Dittberner

Screenshot of the CAcert browser client certificate web application

Lowering the barriers of entry

In the coming few months we will start running some services with Let’s Encrypt server certificates. We decided to go this route to make it easier for people to join our community or contribute to our work.

A nice side effect of this move will be that we can provide these services https encrypted and redirect all unencrypted http URLs to their https counterparts.

We will continue to use our own server certificates for our CA systems and other services that are only relevant after joining our community.

We also will continue to provide our community with client and server certificates. All our services that support or require client certificates will still use those issued by our CA.

We recently implemented a web application to make it easier to get started with client certificates. The application provides a friendly and completely client side interface to generate key pairs and signing requests in your browser.

Screenshot of community.cacert.org

Recent infrastructure updates

In the past few weeks Dirk Astrath and me upgraded some of our infrastructure systems to Debian Buster and implemented some performance improvements.

The blog system you are just visiting is one of these systems. We also upgraded the wiki system and finished the setup of the new community Webmail system.

The old staff list and community email password reset pages have been replaced with a modern system that is now available at https://selfservice.cacert.org/.

The git code hosting system at https://git.cacert.org/ has been upgraded to Debian Buster too and has been switched from gitweb to cgit for the git web frontend for much better performance. The old gitweb URLs are automatically redirected to the new cgit URLs. This change has the positive side effect that you can now use git clone directly using the https-URLs of the git repositories.

In the background we added Puppet configuration management for the above mentioned systems and replaced the aged nrpe-based monitoring with Icinga 2 agents.

We setup a new community start page at https://community.cacert.org/ that leads you to resources that we think is relevant for our community members.

svn.cacert.org on new host with client certificate authentication now!

Today I finished the migration of svn.cacert.org to a LXC container on our new infrastructure machine. The container is running on Debian Squeeze and supports some nice new features:

Read only access is provided via http://svn.cacert.org/ as it was before.

Besides allowing client certificate authentication for our Subversion repository this is a big step forward as we now have a modern infrastructure machine with a recent operating system distribution.

If you already have a SVN account on svn.cacert.org and want to use the client certificate authentication feature please send a mail to svn-admin (at) cacert (dot) org.