[Systems] Letsencrypt

Samuel Cantero scanterog at gmail.com
Tue Mar 1 17:28:11 EST 2016

We are automating the renewal process with the official one. You can check
this on https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt

In case you find simp_le a lot better, please share the info in our wiki :)



On Mon, Feb 29, 2016 at 11:14 PM, Sebastian Silva <sebastian at fuentelibre.org
> wrote:

> Lol. I didn't think to try to look for alternative letsencrypt clients,
> but I've used the official one a few times. However I have to renew in
> March so I'm also looking to automate this. Thanks for the research! I
> think I'll try *simp_le* and share :-)
> Regards,
> Sebastian
> On 29/02/16 20:53, Bernie Innocenti wrote:
> Great, thanks for taking care of this and for the update.
> Dumb question: which letsencrypt client are we using? There are a number
> of options:
>   https://community.letsencrypt.org/t/list-of-client-implementations/2103
> A couple of weeks ago, I wanted to setup letsencrypt for codewiz.org,
> but the official one seemed quite overengineered, so I tried
> letsencrypt-nosudo instead. The problem with the nosudo script is that
> it's designed for interactive renewal when the user key is kept offline
> (a prudent measure, but I'm too lazy for that :-).
> The next ones I'd like to try are:
>   https://github.com/kuba/simp_le
>   https://github.com/lukas2511/letsencrypt.sh
> Anyway, I'm shocked by how many weird ways exist to do something as
> simple as generating an SSL certificate and getting it signed by a CA
> with a challenge. What are your impressions?
> On 02/29/2016 11:04 AM, Samuel Cantero wrote:
> Hi,
> I was testing our access to the .well-known/acme-challenge directory forwww.slo and nagios.slo. LE must have access to this directory in order
> to validate the domain with a set of challenges (in this case
> provisioning an HTTP resource under this URI). This access wasn't
> working. I fixed it for http and https. Now, we are also forcing https
> for all pages except domain/.well/known-challenge. It was forcing https
> for all pages.
> In addition, sometime ago we defined in nginx the same directory for the
> acme-challenge for both domains but we forgot to set the same webroot in
> the LE config file for each domain. I also fixed this.
> I tested all this config with the nagios domain and the certificate was
> renewed successfully. I also changed in the renewal script the renewal
> time. We defined to renew the SSL certificate 15 days before the
> expiration day. I changed this to 30 in order to validate the process
> with the www.slo domain in 3 days. www.slo certificate was issued on
> January 3 and is going to expire on April 2.
> Best regards,
> Samuel C.
> On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <bernie at codewiz.org<mailto:bernie at codewiz.org> <bernie at codewiz.org>> wrote:
>     Sam, could you make the renew-certs-le not produce any output when
>     everything goes well and only nag if we need to fix something?
>     -------- Forwarded Message --------
>     Subject: Cron <root at freedom> test -x /usr/sbin/anacron || ( cd / &&
>     run-parts --report /etc/cron.daily )
>     Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST)
>     From: Cron Daemon <root at freedom.sugarlabs.org
>     <mailto:root at freedom.sugarlabs.org> <root at freedom.sugarlabs.org>>
>     To: root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org> <root at freedom.sugarlabs.org>
>     /etc/cron.daily/renew-certs-le:
>     The certificate for nagios.sugarlabs.org
>     <http://nagios.sugarlabs.org> <http://nagios.sugarlabs.org> is up to date, no need for
>     renewal (36 days left for renewal).
>     The certificate for sugarlabs.org <http://sugarlabs.org> <http://sugarlabs.org> is up to
>     date, no need for renewal (36
>     days left for renewal).
>     /etc/cron.daily/wizbackup:
>     1456488867:lightwave.sugarlabs.org:0:255
>     run-parts: /etc/cron.daily/wizbackup exited with return code 1
>     _______________________________________________
>     Systems mailing list
>     Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org> <Systems at lists.sugarlabs.org>
>     http://lists.sugarlabs.org/listinfo/systems
> --
> I+D SomosAzucar.Org
> "icarito" #somosazucar en Freenode IRC
> "Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en comuniĆ³n" - P. Freire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160301/895352d0/attachment.html>

More information about the Systems mailing list