[Systems] Let's Encrypt

[Bernie Innocenti]

Thank you Samuel, you're awesome!

Just a minor note: ssllabs complains about us enabling a weak cipher
suite (DH 1024 bits), which allows downgrade attacks:

  https://www.ssllabs.com/ssltest/analyze.html?d=nagios.sugarlabs.org

This isn't a regression caused by letsencrypt: www.sugarlabs.org also
has DH 1024 and common primes. If it's not really easy to fix by
tweaking our Nginx config, we can live with this for a while.

For more information, see: https://weakdh.org/


On 01/03/2016 10:09 PM, Samuel Cantero wrote:
> Hello guys,
> 
> I've installed a Let's Encrypt (LE) SSL certificate for www.sugarlabs.org
> and nagios.sugarlabs.org. Currently, this last one has a plain html for
> testing.
> 
> I've documented in our wiki how to install a LE client, and how to get and
> renew a certificate [1]. Also, I've written a little script for automate
> the renewal process. This is based on [2] but it can read many config files
> and fixes a problem with the expiration time calculation (rounding).
> 
> In summary, the main idea is to have one config file for each subdomain and
> hence one certificate per subdomain. Each config file is straightforward.
> The renewal script uses it to renew the certificate for each subdomain
> automatically. It is executed everyday (maybe it could run weekly).
> 
> Alternatively, we can use one certificate with many subAltNames. In this
> case everytime we want to add a new site we will have to renew the
> certificate for all sites. In this case, we will only have one certificate
> to maintain and we can have a global include file for adding HTTPS support
> to all sites in the web server.
> 
> Before moving every cert to LE, I would like to discuss how to continue.
> 
> Best regards,
> 
> Samuel C.


-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org