[Systems] Letsencrypt

Bernie Innocenti bernie at codewiz.org
Wed Mar 9 15:35:43 EST 2016

On 01/03/16 17:28, Samuel Cantero wrote:
> We are automating the renewal process with the official one. You can
> check this on https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt
> In case you find simp_le a lot better, please share the info in our wiki :)

Haven't found the time to try it yet, but here is some news about the
(formerly) official Letsencrypt client:


> Regards,
> Samuel.
> On Mon, Feb 29, 2016 at 11:14 PM, Sebastian Silva
> <sebastian at fuentelibre.org <mailto:sebastian at fuentelibre.org>> wrote:
>     Lol. I didn't think to try to look for alternative letsencrypt
>     clients, but I've used the official one a few times. However I have
>     to renew in March so I'm also looking to automate this. Thanks for
>     the research! I think I'll try /simp_le/ and share :-)
>     Regards,
>     Sebastian
>     On 29/02/16 20:53, Bernie Innocenti wrote:
>>     Great, thanks for taking care of this and for the update.
>>     Dumb question: which letsencrypt client are we using? There are a number
>>     of options:
>>       https://community.letsencrypt.org/t/list-of-client-implementations/2103
>>     A couple of weeks ago, I wanted to setup letsencrypt for codewiz.org <http://codewiz.org>,
>>     but the official one seemed quite overengineered, so I tried
>>     letsencrypt-nosudo instead. The problem with the nosudo script is that
>>     it's designed for interactive renewal when the user key is kept offline
>>     (a prudent measure, but I'm too lazy for that :-).
>>     The next ones I'd like to try are:
>>       https://github.com/kuba/simp_le
>>       https://github.com/lukas2511/letsencrypt.sh
>>     Anyway, I'm shocked by how many weird ways exist to do something as
>>     simple as generating an SSL certificate and getting it signed by a CA
>>     with a challenge. What are your impressions?
>>     On 02/29/2016 11:04 AM, Samuel Cantero wrote:
>>>     Hi,
>>>     I was testing our access to the .well-known/acme-challenge directory for
>>>     www.slo <http://www.slo> and nagios.slo. LE must have access to this directory in order
>>>     to validate the domain with a set of challenges (in this case
>>>     provisioning an HTTP resource under this URI). This access wasn't
>>>     working. I fixed it for http and https. Now, we are also forcing https
>>>     for all pages except domain/.well/known-challenge. It was forcing https
>>>     for all pages.
>>>     In addition, sometime ago we defined in nginx the same directory for the
>>>     acme-challenge for both domains but we forgot to set the same webroot in
>>>     the LE config file for each domain. I also fixed this.
>>>     I tested all this config with the nagios domain and the certificate was
>>>     renewed successfully. I also changed in the renewal script the renewal
>>>     time. We defined to renew the SSL certificate 15 days before the
>>>     expiration day. I changed this to 30 in order to validate the process
>>>     with the www.slo <http://www.slo> domain in 3 days. www.slo <http://www.slo> certificate was issued on
>>>     January 3 and is going to expire on April 2.
>>>     Best regards,
>>>     Samuel C.
>>>     On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <bernie at codewiz.org <mailto:bernie at codewiz.org>
>>>     <mailto:bernie at codewiz.org> <mailto:bernie at codewiz.org>> wrote:
>>>         Sam, could you make the renew-certs-le not produce any output when
>>>         everything goes well and only nag if we need to fix something?
>>>         -------- Forwarded Message --------
>>>         Subject: Cron <root at freedom> test -x /usr/sbin/anacron || ( cd / &&
>>>         run-parts --report /etc/cron.daily )
>>>         Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST)
>>>         From: Cron Daemon <root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org>
>>>         <mailto:root at freedom.sugarlabs.org>
>>>     <mailto:root at freedom.sugarlabs.org>>
>>>         To: root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org> <mailto:root at freedom.sugarlabs.org>
>>>     <mailto:root at freedom.sugarlabs.org>
>>>         /etc/cron.daily/renew-certs-le:
>>>         The certificate for nagios.sugarlabs.org <http://nagios.sugarlabs.org>
>>>         <http://nagios.sugarlabs.org> <http://nagios.sugarlabs.org> is up to date, no need for
>>>         renewal (36 days left for renewal).
>>>         The certificate for sugarlabs.org <http://sugarlabs.org> <http://sugarlabs.org> <http://sugarlabs.org> is up to
>>>         date, no need for renewal (36
>>>         days left for renewal).
>>>         /etc/cron.daily/wizbackup:
>>>         1456488867:lightwave.sugarlabs.org:0:255
>>>         run-parts: /etc/cron.daily/wizbackup exited with return code 1
>>>         _______________________________________________
>>>         Systems mailing list
>>>         Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org> <mailto:Systems at lists.sugarlabs.org>
>>>     <mailto:Systems at lists.sugarlabs.org>
>>>         http://lists.sugarlabs.org/listinfo/systems
>     -- 
>     I+D SomosAzucar.Org
>     "icarito" #somosazucar en Freenode IRC
>     "Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en comuniĆ³n" - P. Freire

 _ // Bernie Innocenti
 \X/  http://codewiz.org

More information about the Systems mailing list