[Systems] Letsencrypt
Samuel Cantero
scanterog at gmail.com
Tue Mar 1 17:25:54 EST 2016
On Mon, Feb 29, 2016 at 10:53 PM, Bernie Innocenti <bernie at codewiz.org>
wrote:
> Great, thanks for taking care of this and for the update.
>
> Dumb question: which letsencrypt client are we using? There are a number
> of options:
>
> https://community.letsencrypt.org/t/list-of-client-implementations/2103
We are using the official one.
>
>
> A couple of weeks ago, I wanted to setup letsencrypt for codewiz.org,
> but the official one seemed quite overengineered, so I tried
> letsencrypt-nosudo instead. The problem with the nosudo script is that
> it's designed for interactive renewal when the user key is kept offline
> (a prudent measure, but I'm too lazy for that :-).
> The next ones I'd like to try are:
>
> https://github.com/kuba/simp_le
> https://github.com/lukas2511/letsencrypt.sh
>
> I would also like to try the first one.
>
> Anyway, I'm shocked by how many weird ways exist to do something as
> simple as generating an SSL certificate and getting it signed by a CA
> with a challenge. What are your impressions?
>
Agree. This is the reason because exists a lot of "tiny" and "simple"
clients out there. The official one is doing a lot of things.
>
>
> On 02/29/2016 11:04 AM, Samuel Cantero wrote:
> > Hi,
> >
> > I was testing our access to the .well-known/acme-challenge directory for
> > www.slo and nagios.slo. LE must have access to this directory in order
> > to validate the domain with a set of challenges (in this case
> > provisioning an HTTP resource under this URI). This access wasn't
> > working. I fixed it for http and https. Now, we are also forcing https
> > for all pages except domain/.well/known-challenge. It was forcing https
> > for all pages.
> >
> > In addition, sometime ago we defined in nginx the same directory for the
> > acme-challenge for both domains but we forgot to set the same webroot in
> > the LE config file for each domain. I also fixed this.
> >
> > I tested all this config with the nagios domain and the certificate was
> > renewed successfully. I also changed in the renewal script the renewal
> > time. We defined to renew the SSL certificate 15 days before the
> > expiration day. I changed this to 30 in order to validate the process
> > with the www.slo domain in 3 days. www.slo certificate was issued on
> > January 3 and is going to expire on April 2.
> >
> > Best regards,
> >
> > Samuel C.
> >
> > On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <bernie at codewiz.org
> > <mailto:bernie at codewiz.org>> wrote:
> >
> > Sam, could you make the renew-certs-le not produce any output when
> > everything goes well and only nag if we need to fix something?
> >
> > -------- Forwarded Message --------
> > Subject: Cron <root at freedom> test -x /usr/sbin/anacron || ( cd / &&
> > run-parts --report /etc/cron.daily )
> > Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST)
> > From: Cron Daemon <root at freedom.sugarlabs.org
> > <mailto:root at freedom.sugarlabs.org>>
> > To: root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org>
> >
> > /etc/cron.daily/renew-certs-le:
> > The certificate for nagios.sugarlabs.org
> > <http://nagios.sugarlabs.org> is up to date, no need for
> > renewal (36 days left for renewal).
> > The certificate for sugarlabs.org <http://sugarlabs.org> is up to
> > date, no need for renewal (36
> > days left for renewal).
> > /etc/cron.daily/wizbackup:
> > 1456488867:lightwave.sugarlabs.org:0:255
> > run-parts: /etc/cron.daily/wizbackup exited with return code 1
> >
> >
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
> > http://lists.sugarlabs.org/listinfo/systems
> >
> >
>
>
> --
> _ // Bernie Innocenti
> \X/ http://codewiz.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160301/9911abf1/attachment.html>
More information about the Systems
mailing list