<html><body bgcolor="#FFFFFF"><div>Folks,</div><div> Could you guys sanity check this for John and I? I can't imagine you would really need a separate cert per van. John, no offense intended, but I want to be really sure before I go back to Russ for yet something else. <br><br><div>-Jim</div><div><br class="webkit-block-placeholder"></div>Sent from my iPhone</div><div><br>Begin forwarded message:<br><br></div><blockquote type="cite"><div><b>From:</b> John Kemp <<a href="mailto:kemp@network-services.uoregon.edu">kemp@network-services.uoregon.edu</a>><br><b>Date:</b> July 14, 2010 10:17:03 AM PDT<br><b>To:</b> Jim Martin <<a href="mailto:jim@daedelus.com">jim@daedelus.com</a>><br><b>Subject:</b> <b>Re: Certificates for the IETF</b><br><b>Reply-To:</b> <a href="mailto:kemp@network-services.uoregon.edu"><a href="mailto:kemp@network-services.uoregon.edu">kemp@network-services.uoregon.edu</a></a><br><br></div></blockquote><div></div><blockquote type="cite"><div><span>On 07/13/2010 09:36 AM, Jim Martin wrote:</span><br><blockquote type="cite"><span>Ray,</span><br></blockquote><blockquote type="cite"><span> The cert for <a href="http://portal.meeting.ietf.org">portal.meeting.ietf.org</a> should go to John, since he's the guy actually building the boxes.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span> Thanks!</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span> - Jim</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br><span>Gah.</span><br><span></span><br><span>I just realized that we require one more certificate for the 2nd vlan.</span><br><span>Hopefully, that should do it. I believe we only have "ietf-portal" and</span><br><span>"ipef-a-portal". So maybe: <a href="https://portal-a.meeting.ietf.org/">https://portal-a.meeting.ietf.org/</a> as well???</span><br><span></span><br><span>Should I just generate the csr and ask for 1 more?</span><br><span></span><br><span>/jgk</span><br><span></span><br><span></span><br><span>--> here's the sequence. Upshot is that we need to hand the</span><br><span>user: <a href="https://NAME/">https://NAME/</a>, otherwise, they will get a match error at</span><br><span>the point the SSL starts to check. And we can't hand them a</span><br><span>NAME on a vlan outside of the redirect to local bridge ip so...</span><br><span></span><br><span>Iptables redirects user to br_int_ip.</span><br><span>br_int_ip is an IP Virtual Host in apache.</span><br><span>http -> https/NAME/index.pl?redir=...</span><br><span>Apache also does rewrite of any https URL to a NAME/index.pl</span><br><span> </span><br><span> index.pl/Apache processes "index.pl" looks at the client IP.</span><br><span> index.pl determines the vlan.</span><br><span> index.pl uses br_int_name as POST action</span><br><span> Configured br_int_name is then filled in as the POST action</span><br><span></span><br><span>-----------------------------</span><br></div></blockquote></body></html>