[Systems] Let's Encrypt

Bernie Innocenti bernie at codewiz.org
Mon Jan 4 03:08:01 EST 2016

Thank you Samuel, you're awesome!

Just a minor note: ssllabs complains about us enabling a weak cipher
suite (DH 1024 bits), which allows downgrade attacks:


This isn't a regression caused by letsencrypt: www.sugarlabs.org also
has DH 1024 and common primes. If it's not really easy to fix by
tweaking our Nginx config, we can live with this for a while.

For more information, see: https://weakdh.org/

On 01/03/2016 10:09 PM, Samuel Cantero wrote:
> Hello guys,
> I've installed a Let's Encrypt (LE) SSL certificate for www.sugarlabs.org
> and nagios.sugarlabs.org. Currently, this last one has a plain html for
> testing.
> I've documented in our wiki how to install a LE client, and how to get and
> renew a certificate [1]. Also, I've written a little script for automate
> the renewal process. This is based on [2] but it can read many config files
> and fixes a problem with the expiration time calculation (rounding).
> In summary, the main idea is to have one config file for each subdomain and
> hence one certificate per subdomain. Each config file is straightforward.
> The renewal script uses it to renew the certificate for each subdomain
> automatically. It is executed everyday (maybe it could run weekly).
> Alternatively, we can use one certificate with many subAltNames. In this
> case everytime we want to add a new site we will have to renew the
> certificate for all sites. In this case, we will only have one certificate
> to maintain and we can have a global include file for adding HTTPS support
> to all sites in the web server.
> Before moving every cert to LE, I would like to discuss how to continue.
> Best regards,
> Samuel C.

 _ // Bernie Innocenti
 \X/  http://codewiz.org

More information about the Systems mailing list