[Systems] Let's Encrypt

Bernie Innocenti bernie at codewiz.org
Sat Jan 2 07:37:07 EST 2016


By the way, the *.sugarlabs.org certificate issued by Gandi is weak
(SHA1withRSA) and will start issuing warnings on browsers very soon:

  https://www.ssllabs.com/ssltest/analyze.html?d=sugarlabs.org

So we should really work on a replacement as soon as possible.

There's a little problem with Let's Encrypt: Windows XP does not trust
it, and not even Chrome works when running on XP because it uses the
Windows certificate store. Normally I wouldn't give a flying damn about
supporting Microsoft's abandonware OS, but education institutions in
developing countries are likely to be still using ancient computers.

Indeed, AWstat shows that 20.3% of our web traffic came from XP in Jun 2015:

http://stats.sugarlabs.org/sugarlabs.org/awstats.pl?month=06&year=2015&output=main&config=stats.sugarlabs.org&framename=index

We no longer have up-to-date information now that www.sugarlabs.org runs
in a container. Sam, could you do something to copy the weblogs back to
sunjammer for analysis?

On 01/02/2016 12:56 PM, Bernie Innocenti wrote:
> On 01/02/2016 12:12 PM, Sam P. wrote:
>> On Sat, Jan 2, 2016, 10:07 PM Bernie Innocenti <bernie at codewiz.org> wrote:
>>
>>> On 01/02/2016 11:52 AM, Samuel Cantero wrote:
>>>> Cool! I haven't heard about it before! I'll do it.
>>>
>>> Sunjammer might be too old to run this stuff. Can we start with
>>> www.sugarlabs.org?
>>>
>>
>> WWW is on freedom now.
>>
>> It installs via a python virtual environment thing, so maybe that's OK for
>> sunjammer?
>>
>>
>>> Or maybe make a container to obtain specific certificates for all our
>>> subdomains? Not sure if we should have one wildcard certificate
>>> installed everywhere or several specific ones for each site...
>>>
>>
>> Let's encrypt doesn't support wildcards, and probably will now due to
>> challenges of automatically verifying ownership.
>>
>> That's annoying as the wildcard currently simplify creating new ssl sites
>> to simply including the slo shared config.  Maybe we can make a script that
>> automates setting up nginx with a new subdomain?
> 
> Not sure which strategy will be most convenient... Up to you.
> 
> Certificates must be renewed monthly from a cronjob (they expire in just
> 90 days), so the script for a new site should record the hostname
> somewhere where the renew script can find it. Perhaps someone has
> already created some letsencrypt glue for websites hosted in docker
> containers?
> 


-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org


More information about the Systems mailing list