[Systems] Let's Encrypt

Samuel Cantero scanterog at gmail.com
Sun Jan 3 16:09:24 EST 2016


Hello guys,

I've installed a Let's Encrypt (LE) SSL certificate for www.sugarlabs.org
and nagios.sugarlabs.org. Currently, this last one has a plain html for
testing.

I've documented in our wiki how to install a LE client, and how to get and
renew a certificate [1]. Also, I've written a little script for automate
the renewal process. This is based on [2] but it can read many config files
and fixes a problem with the expiration time calculation (rounding).

In summary, the main idea is to have one config file for each subdomain and
hence one certificate per subdomain. Each config file is straightforward.
The renewal script uses it to renew the certificate for each subdomain
automatically. It is executed everyday (maybe it could run weekly).

Alternatively, we can use one certificate with many subAltNames. In this
case everytime we want to add a new site we will have to renew the
certificate for all sites. In this case, we will only have one certificate
to maintain and we can have a global include file for adding HTTPS support
to all sites in the web server.

Before moving every cert to LE, I would like to discuss how to continue.

Best regards,

Samuel C.

[1] https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt
[2]
https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certificate

On Sat, Jan 2, 2016 at 9:37 AM, Bernie Innocenti <bernie at codewiz.org> wrote:

> By the way, the *.sugarlabs.org certificate issued by Gandi is weak
> (SHA1withRSA) and will start issuing warnings on browsers very soon:
>
>   https://www.ssllabs.com/ssltest/analyze.html?d=sugarlabs.org
>
> So we should really work on a replacement as soon as possible.
>
> There's a little problem with Let's Encrypt: Windows XP does not trust
> it, and not even Chrome works when running on XP because it uses the
> Windows certificate store. Normally I wouldn't give a flying damn about
> supporting Microsoft's abandonware OS, but education institutions in
> developing countries are likely to be still using ancient computers.
>
> Indeed, AWstat shows that 20.3% of our web traffic came from XP in Jun
> 2015:
>
>
> http://stats.sugarlabs.org/sugarlabs.org/awstats.pl?month=06&year=2015&output=main&config=stats.sugarlabs.org&framename=index
>
> We no longer have up-to-date information now that www.sugarlabs.org runs
> in a container. Sam, could you do something to copy the weblogs back to
> sunjammer for analysis?
>
> On 01/02/2016 12:56 PM, Bernie Innocenti wrote:
> > On 01/02/2016 12:12 PM, Sam P. wrote:
> >> On Sat, Jan 2, 2016, 10:07 PM Bernie Innocenti <bernie at codewiz.org>
> wrote:
> >>
> >>> On 01/02/2016 11:52 AM, Samuel Cantero wrote:
> >>>> Cool! I haven't heard about it before! I'll do it.
> >>>
> >>> Sunjammer might be too old to run this stuff. Can we start with
> >>> www.sugarlabs.org?
> >>>
> >>
> >> WWW is on freedom now.
> >>
> >> It installs via a python virtual environment thing, so maybe that's OK
> for
> >> sunjammer?
> >>
> >>
> >>> Or maybe make a container to obtain specific certificates for all our
> >>> subdomains? Not sure if we should have one wildcard certificate
> >>> installed everywhere or several specific ones for each site...
> >>>
> >>
> >> Let's encrypt doesn't support wildcards, and probably will now due to
> >> challenges of automatically verifying ownership.
> >>
> >> That's annoying as the wildcard currently simplify creating new ssl
> sites
> >> to simply including the slo shared config.  Maybe we can make a script
> that
> >> automates setting up nginx with a new subdomain?
> >
> > Not sure which strategy will be most convenient... Up to you.
> >
> > Certificates must be renewed monthly from a cronjob (they expire in just
> > 90 days), so the script for a new site should record the hostname
> > somewhere where the renew script can find it. Perhaps someone has
> > already created some letsencrypt glue for websites hosted in docker
> > containers?
> >
>
>
> --
>  _ // Bernie Innocenti
>  \X/  http://codewiz.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160103/2cadef2f/attachment.html>


More information about the Systems mailing list