[Systems] Letsencrypt
Bernie Innocenti
bernie at codewiz.org
Mon Feb 29 20:53:14 EST 2016
Great, thanks for taking care of this and for the update.
Dumb question: which letsencrypt client are we using? There are a number
of options:
https://community.letsencrypt.org/t/list-of-client-implementations/2103
A couple of weeks ago, I wanted to setup letsencrypt for codewiz.org,
but the official one seemed quite overengineered, so I tried
letsencrypt-nosudo instead. The problem with the nosudo script is that
it's designed for interactive renewal when the user key is kept offline
(a prudent measure, but I'm too lazy for that :-).
The next ones I'd like to try are:
https://github.com/kuba/simp_le
https://github.com/lukas2511/letsencrypt.sh
Anyway, I'm shocked by how many weird ways exist to do something as
simple as generating an SSL certificate and getting it signed by a CA
with a challenge. What are your impressions?
On 02/29/2016 11:04 AM, Samuel Cantero wrote:
> Hi,
>
> I was testing our access to the .well-known/acme-challenge directory for
> www.slo and nagios.slo. LE must have access to this directory in order
> to validate the domain with a set of challenges (in this case
> provisioning an HTTP resource under this URI). This access wasn't
> working. I fixed it for http and https. Now, we are also forcing https
> for all pages except domain/.well/known-challenge. It was forcing https
> for all pages.
>
> In addition, sometime ago we defined in nginx the same directory for the
> acme-challenge for both domains but we forgot to set the same webroot in
> the LE config file for each domain. I also fixed this.
>
> I tested all this config with the nagios domain and the certificate was
> renewed successfully. I also changed in the renewal script the renewal
> time. We defined to renew the SSL certificate 15 days before the
> expiration day. I changed this to 30 in order to validate the process
> with the www.slo domain in 3 days. www.slo certificate was issued on
> January 3 and is going to expire on April 2.
>
> Best regards,
>
> Samuel C.
>
> On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <bernie at codewiz.org
> <mailto:bernie at codewiz.org>> wrote:
>
> Sam, could you make the renew-certs-le not produce any output when
> everything goes well and only nag if we need to fix something?
>
> -------- Forwarded Message --------
> Subject: Cron <root at freedom> test -x /usr/sbin/anacron || ( cd / &&
> run-parts --report /etc/cron.daily )
> Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST)
> From: Cron Daemon <root at freedom.sugarlabs.org
> <mailto:root at freedom.sugarlabs.org>>
> To: root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org>
>
> /etc/cron.daily/renew-certs-le:
> The certificate for nagios.sugarlabs.org
> <http://nagios.sugarlabs.org> is up to date, no need for
> renewal (36 days left for renewal).
> The certificate for sugarlabs.org <http://sugarlabs.org> is up to
> date, no need for renewal (36
> days left for renewal).
> /etc/cron.daily/wizbackup:
> 1456488867:lightwave.sugarlabs.org:0:255
> run-parts: /etc/cron.daily/wizbackup exited with return code 1
>
>
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
> http://lists.sugarlabs.org/listinfo/systems
>
>
--
_ // Bernie Innocenti
\X/ http://codewiz.org
More information about the Systems
mailing list