From 533244385be0c0f388a35eb141d11acc0d110c6a Mon Sep 17 00:00:00 2001
From: Yunohost Admin <webmaster@yunohost.org>
Date: Wed, 4 Feb 2015 11:32:19 +0100
Subject: [PATCH] merge

---
 build_system_fr.md |   2 +-
 certificate.md     | 125 +++++++++++++++++++++++++++++++++++++++++++--
 certificate_fr.md  |   9 +++-
 diagnostic.md      |   2 +-
 docker.md          |  11 ++--
 docker_fr.md       |  12 +++--
 6 files changed, 143 insertions(+), 18 deletions(-)

diff --git a/build_system_fr.md b/build_system_fr.md
index 63e17382..a8d8727b 100644
--- a/build_system_fr.md
+++ b/build_system_fr.md
@@ -1,7 +1,7 @@
 #Création de paquet Debian
 
 ## Architecture
-Le système se compose de rebuildd qui est un front-end pour `pbuilder`, des chroot pbuilder pour i386, amd64, armhf et de `reprepro` pour le système de repo debian.
+Le système se compose de `rebuildd` qui est un front-end pour `pbuilder`, des chroot pbuilder pour i386, amd64, armhf et de `reprepro` pour le système de repo debian.
 
 ---
 
diff --git a/certificate.md b/certificate.md
index f584cc04..75851534 100644
--- a/certificate.md
+++ b/certificate.md
@@ -2,11 +2,126 @@
 
 Certificates are used to certify that your server is the genuine one and not a falsified one.
 
-YunoHost provides a self-signed certificate.
+YunoHost provides a **self-signed** certificate, it means that your server guaranty the certificate validity. It's enough **for personal usage**, because you trust your own server. But this could be a problem if you want to open access to anonymous like web user for a website.
+Concretely users will go throw a screen like this:
 
-Client software (web browser, email client, XMPP client, etc) typically requires you to manually add an exception for that self-signed certificate.
+<img src="https://yunohost.org/images/postinstall_error.png" style="max-width:100%;border-radius: 5px;border: 1px solid rgba(0,0,0,0.15);box-shadow: 0 5px 15px rgba(0,0,0,0.35);">
 
-You can have a certificate signed by an authority, in which case you must upload the appropriate certificate KEY and CRT files to the following files:
+This screen ask to the user : **"Do you trust this server that host this website?"**
+It could afraid a lot of users (rightly).
+
+To avoid this confusion, it's possible to get a signed certificate  by a "known" authority : **Gandi**, **RapidSSL**, **StartSSL**, **CaCert**.
+In these cases, the point is to replace the self-signed certificate by the one that have been certified by an certificate authority, and the users won't have this warning screen anymore.
+
+### Add a signed certificate by an authority
+
+Get your certificate from your CA, you must get a private key, file key and a public certificate (file .crt)
+> Be carefull, the key file is very critical, it's strictly personal and have to be secured.
+
+Copy this two files on the server, if not.
+
+```bash
+scp CERTIFICAT.crt admin@DOMAIN.TLD:ssl.crt
+scp CLE.key admin@DOMAIN.TLD:ssl.key
+```
+
+From Windows, scp can be used with putty, download [pscp](http://the.earth.li/~sgtatham/putty/latest/x86/pscp.exe)
+
+```bash
+pscp -P 22 CERTIFICAT.crt admin@DOMAIN.TLD:ssl.crt
+pscp -P 22 CLE.key admin@DOMAIN.TLD:ssl.key```
+
+Now the files are in the server. Open a shell on the server use [ssh](https://yunohost.org/#/ssh_fr) or locally.
+
+First, create a directory for archive the certificates.
+
+```bash
+sudo mkdir /etc/yunohost/certs/DOMAIN.TLD/ae_certs
+sudo mv ssl.key ssl.crt /etc/yunohost/certs/DOMAIN.TLD/ae_certs/```
+
+Then go to the parent directory and go on.
+
+```bash
+cd /etc/yunohost/certs/DOMAIN.TLD/```
+
+Make a backup of the YunoHost original certificates , to be safe!
+
+```bash
+sudo mkdir yunohost_self_signed
+sudo mv *.pem *.cnf yunohost_self_signed/```
+
+Depends on the CA, intermediate certificates and root have to be downloaded.
+
+> **StartSSL**
+> ```bash
+> sudo wget http://www.startssl.com/certs/ca.pem -O ae_certs/ca.pem
+> sudo wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O ae_certs/intermediate_ca.pem```
+
+> **Gandi**
+> ```bash
+> sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem -O ae_certs/intermediate_ca.pem```
+
+> **RapidSSL**
+> ```bash
+> sudo wget https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt -O ae_certs/intermediate_ca.pem```
+
+> **Cacert**
+> ```bash
+> sudo wget http://www.cacert.org/certs/root.crt -O ae_certs/ca.pem
+> sudo wget http://www.cacert.org/certs/class3.crt -O ae_certs/intermediate_ca.pem```
+
+Intermediate certificates and root must be merged with certificates obtained to create a unified chain certificates.
+
+If you use a root certificate (StartSSL) :
+
+```bash
+cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem ae_certs/ca.pem | sudo tee crt.pem```
+
+If you use only an intermediate certificate.
+
+```bash
+cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem | sudo tee crt.pem```
+
+The private key have to be converted in PEM format.
+
+```bash
+sudo openssl rsa -in ae_certs/ssl.key -out key.pem -outform PEM```
+
+Check certificates syntaxe, check file contents.
+
+```bash
+cat crt.pem key.pem```
+
+Certificates and private key look like this :
+
+`-----BEGIN CERTIFICATE-----`    
+`MIICVDCCAb0CAQEwDQYJKoZIhvcNAQEEBQAwdDELMAkGA1UEBhMCRlIxFTATBgNV`
+`BAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UEChMDTExC`
+`MREwDwYDVQQLEwhCVFMgSU5GTzEbMBkGA1UEAxMSc2VydmV1ci5idHNpbmZvLmZy`
+`MB4XDTA0MDIwODE2MjQyNloXDTA0MDMwOTE2MjQyNlowcTELMAkGA1UEBhMCRlIx`
+`FTATBgNVBAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UE`
+`ChMDTExCMREwDwYDVQQLEwhCVFMgSU5GTzEYMBYGA1UEAxMPcHJvZi5idHNpbmZv`
+`LmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUagxPSv3LtgDV5sygt12`
+`kSbN/NWP0QUiPlksOkF2NkPfwW/mf55dD1hSndlOM/5kLbSBo5ieE3TgikF0Iktj`
+`BWm5xSqewM5QDYzXFt031DrPX63Fvo+tCKTQoVItdEuJPMahVsXnDyYHeUURRWLW`
+`wc0BzEgFZGGw7wiMF6wt5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBALD640iwKPMf`
+`pqdYtfvmLnA7CiEuao60i/pzVJE2LIXXXbwYjNAM+7Lov+dFT+b5FcOUGqLymSG3`
+`kSK6OOauBHItgiGI7C87u4EJaHDvGIUxHxQQGsUM0SCIIVGK7Lwm+8e9I2X0G2GP`    
+`9t/rrbdGzXXOCl3up99naL5XAzCIp6r5`  
+`-----END CERTIFICATE-----`
+
+At last, secure files of your certificate
+
+```bash
+sudo chown root:metronome crt.pem key.pem
+sudo chmod 640 crt.pem key.pem
+sudo chown root:root -R ae_certs
+sudo chmod 600 -R ae_certs```
+
+Reload Nginx configuration to take into account the new certificate.
+
+```bash
+sudo service nginx reload```
+
+Your certificate is ready to serve. You can check that every thing is correct byan external service like <a href="https://www.geocerts.com/ssl_checker" target="_blank">geocerts</a>
 
-* /etc/yunohost/certs/YourCertifiedDomain/crt.pem
-* /etc/yunohost/certs/YourCertifiedDomain/key.pem
diff --git a/certificate_fr.md b/certificate_fr.md
index b274975a..3d6e8e6b 100644
--- a/certificate_fr.md
+++ b/certificate_fr.md
@@ -10,7 +10,7 @@ En effet, les utilisateurs devront passer par un écran de ce type :
 Cet écran revient à demander **« Avez-vous confiance au serveur qui héberge ce site ? »**.    
 Cela peut effrayer vos utilisateurs (à juste titre).
 
-Pour éviter cette confusion, il est possible d'obtenir un certificat signé par une autorité « connue » : **Gandi**, **RapidSSL**, **StartSSL**.    
+Pour éviter cette confusion, il est possible d'obtenir un certificat signé par une autorité « connue » : **Gandi**, **RapidSSL**, **StartSSL**, **Cacert**.    
 Dans ce cas, il s’agira de remplacer le certificat auto-signé par celui qui a été reconnu par une autorité de certification, et vos utilisateurs n’auront plus à passer par cet écran d’avertissement.
 
 ### Ajout d’un certificat signé par une autorité
@@ -65,9 +65,14 @@ En fonction de l'autorité d'enregistrement, des certificats intermédiaire et r
 > ```bash
 > sudo wget https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt -O ae_certs/intermediate_ca.pem```
 
+> **Cacert**
+> ```bash
+> sudo wget http://www.cacert.org/certs/root.crt -O ae_certs/ca.pem
+> sudo wget http://www.cacert.org/certs/class3.crt -O ae_certs/intermediate_ca.pem```
+
 Les certificats intermédiaire et root doivent être réuni avec le certificat obtenu pour créer une chaîne de certificats unifiés.
 
-En cas d'utilisation d'un certificat racine (StartSSL) :
+En cas d'utilisation d'un certificat racine (StartSSL, Cacert) :
 
 ```bash
 cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem ae_certs/ca.pem | sudo tee crt.pem```
diff --git a/diagnostic.md b/diagnostic.md
index 51b2621a..ce3be89d 100644
--- a/diagnostic.md
+++ b/diagnostic.md
@@ -30,7 +30,7 @@ If you do not see your IP address, or if there is red crosses everywhere, then y
 
 ---
 
-### <small>3.</small> Do network ports are opened on your router ?
+### <small>3.</small> Are network ports opened on your router ?
 
 If your DNS is well configured, and your server looks is accessible locally, you may have **network ports blocked** or not forwarded by your router.    
 In order to verify that, try accessing your server with a client outside your local network. For example via another WiFi access point or with your mobile phone in 3G/4G.
diff --git a/docker.md b/docker.md
index d3a46f35..4c0b2006 100644
--- a/docker.md
+++ b/docker.md
@@ -54,8 +54,8 @@ You will then be able to [postinstall](/postinstall) all this by entering the co
 
 **Notice:** You may want to forward some of your container's ports, find more information or these pages:
 
-* http://docs.docker.io/reference/commandline/cli/#run
-* http://docs.docker.io/use/port_redirection/#port-redirection
+* http://docs.docker.com/reference/commandline/cli/#run
+* http://docs.docker.com/userguide/dockerlinks/
 
 
 ---
@@ -85,12 +85,15 @@ iptables -t nat -A POSTROUTING -s '<container.IP>/32' -o eth0 -j SNAT --to-sourc
 ```bash
 # You will need:
 # * your container's ID
-docker ps -notrunc | grep yunohost
+docker ps --no-trunc | grep yunohost
 # * your container's PID
-cat /var/lib/docker/execdriver/native/<container_ID>/pid
+docker ps -q | xargs docker inspect --format '{{.State.Pid}}'
 # * `util-linux` package
 apt-get install util-linux || pacman -S util-linux
 
 # Run the nsenter command with the right parameters
 nsenter --target <PID> --mount --uts --ipc --net --pid /bin/bash
+
+# Otherwise, with docker
+docker run -t -i yunohost:init /bin/bash
 ```
diff --git a/docker_fr.md b/docker_fr.md
index c422a60c..9a70fcce 100644
--- a/docker_fr.md
+++ b/docker_fr.md
@@ -53,8 +53,8 @@ Cette commande lancera un conteneur sur la base de l'image `yunohost`, tag `init
 
 **Remarque :** vous pourrez avoir besoin de forwarder certains ports de votre conteneur docker, pour cela consultez les pages de documentation suivantes :
 
-* http://docs.docker.io/reference/commandline/cli/#run
-* http://docs.docker.io/use/port_redirection/#port-redirection
+* http://docs.docker.com/reference/commandline/cli/#run
+* http://docs.docker.com/userguide/dockerlinks/
 
 
 ---
@@ -84,12 +84,14 @@ iptables -t nat -A POSTROUTING -s '<IP conteneur docker>/32' -o eth0 -j SNAT --t
 ```bash
 # Vous avez besoin :
 # * de votre ID de conteneur
-docker ps -notrunc | grep yunohost
+docker ps --no-trunc | grep yunohost
 # * du PID de votre conteneur
-cat /var/lib/docker/execdriver/native/<ID_de_mon_conteneur>/pid
+docker ps -q | xargs docker inspect --format '{{.State.Pid}}'
 # du paquet `util-linux`
 apt-get install util-linux || pacman -S util-linux
-
 # Lancez la commande nsenter avec les paramètre kivonbien©
 nsenter --target <PID> --mount --uts --ipc --net --pid /bin/bash
+
+# Sinon, avec docker
+docker run -t -i yunohost:init /bin/bash
 ```