[Systems] Let's Encrypt

[Bernie Innocenti]

On 01/02/2016 12:12 PM, Sam P. wrote:
> On Sat, Jan 2, 2016, 10:07 PM Bernie Innocenti <bernie at codewiz.org> wrote:
> 
>> On 01/02/2016 11:52 AM, Samuel Cantero wrote:
>>> Cool! I haven't heard about it before! I'll do it.
>>
>> Sunjammer might be too old to run this stuff. Can we start with
>> www.sugarlabs.org?
>>
> 
> WWW is on freedom now.
> 
> It installs via a python virtual environment thing, so maybe that's OK for
> sunjammer?
> 
> 
>> Or maybe make a container to obtain specific certificates for all our
>> subdomains? Not sure if we should have one wildcard certificate
>> installed everywhere or several specific ones for each site...
>>
> 
> Let's encrypt doesn't support wildcards, and probably will now due to
> challenges of automatically verifying ownership.
> 
> That's annoying as the wildcard currently simplify creating new ssl sites
> to simply including the slo shared config.  Maybe we can make a script that
> automates setting up nginx with a new subdomain?

Not sure which strategy will be most convenient... Up to you.

Certificates must be renewed monthly from a cronjob (they expire in just
90 days), so the script for a new site should record the hostname
somewhere where the renew script can find it. Perhaps someone has
already created some letsencrypt glue for websites hosted in docker
containers?

-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org