bernie at codewiz.org
Wed Mar 9 15:35:43 EST 2016
On 01/03/16 17:28, Samuel Cantero wrote:
> We are automating the renewal process with the official one. You can
> check this on https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt
> In case you find simp_le a lot better, please share the info in our wiki :)
Haven't found the time to try it yet, but here is some news about the
(formerly) official Letsencrypt client:
> On Mon, Feb 29, 2016 at 11:14 PM, Sebastian Silva
> <sebastian at fuentelibre.org <mailto:sebastian at fuentelibre.org>> wrote:
> Lol. I didn't think to try to look for alternative letsencrypt
> clients, but I've used the official one a few times. However I have
> to renew in March so I'm also looking to automate this. Thanks for
> the research! I think I'll try /simp_le/ and share :-)
> On 29/02/16 20:53, Bernie Innocenti wrote:
>> Great, thanks for taking care of this and for the update.
>> Dumb question: which letsencrypt client are we using? There are a number
>> of options:
>> A couple of weeks ago, I wanted to setup letsencrypt for codewiz.org <http://codewiz.org>,
>> but the official one seemed quite overengineered, so I tried
>> letsencrypt-nosudo instead. The problem with the nosudo script is that
>> it's designed for interactive renewal when the user key is kept offline
>> (a prudent measure, but I'm too lazy for that :-).
>> The next ones I'd like to try are:
>> Anyway, I'm shocked by how many weird ways exist to do something as
>> simple as generating an SSL certificate and getting it signed by a CA
>> with a challenge. What are your impressions?
>> On 02/29/2016 11:04 AM, Samuel Cantero wrote:
>>> I was testing our access to the .well-known/acme-challenge directory for
>>> www.slo <http://www.slo> and nagios.slo. LE must have access to this directory in order
>>> to validate the domain with a set of challenges (in this case
>>> provisioning an HTTP resource under this URI). This access wasn't
>>> working. I fixed it for http and https. Now, we are also forcing https
>>> for all pages except domain/.well/known-challenge. It was forcing https
>>> for all pages.
>>> In addition, sometime ago we defined in nginx the same directory for the
>>> acme-challenge for both domains but we forgot to set the same webroot in
>>> the LE config file for each domain. I also fixed this.
>>> I tested all this config with the nagios domain and the certificate was
>>> renewed successfully. I also changed in the renewal script the renewal
>>> time. We defined to renew the SSL certificate 15 days before the
>>> expiration day. I changed this to 30 in order to validate the process
>>> with the www.slo <http://www.slo> domain in 3 days. www.slo <http://www.slo> certificate was issued on
>>> January 3 and is going to expire on April 2.
>>> Best regards,
>>> Samuel C.
>>> On Fri, Feb 26, 2016 at 10:56 PM, Bernie Innocenti <bernie at codewiz.org <mailto:bernie at codewiz.org>
>>> <mailto:bernie at codewiz.org> <mailto:bernie at codewiz.org>> wrote:
>>> Sam, could you make the renew-certs-le not produce any output when
>>> everything goes well and only nag if we need to fix something?
>>> -------- Forwarded Message --------
>>> Subject: Cron <root at freedom> test -x /usr/sbin/anacron || ( cd / &&
>>> run-parts --report /etc/cron.daily )
>>> Date: Fri, 26 Feb 2016 08:00:07 -0500 (EST)
>>> From: Cron Daemon <root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org>
>>> <mailto:root at freedom.sugarlabs.org>
>>> <mailto:root at freedom.sugarlabs.org>>
>>> To: root at freedom.sugarlabs.org <mailto:root at freedom.sugarlabs.org> <mailto:root at freedom.sugarlabs.org>
>>> <mailto:root at freedom.sugarlabs.org>
>>> The certificate for nagios.sugarlabs.org <http://nagios.sugarlabs.org>
>>> <http://nagios.sugarlabs.org> <http://nagios.sugarlabs.org> is up to date, no need for
>>> renewal (36 days left for renewal).
>>> The certificate for sugarlabs.org <http://sugarlabs.org> <http://sugarlabs.org> <http://sugarlabs.org> is up to
>>> date, no need for renewal (36
>>> days left for renewal).
>>> run-parts: /etc/cron.daily/wizbackup exited with return code 1
>>> Systems mailing list
>>> Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org> <mailto:Systems at lists.sugarlabs.org>
>>> <mailto:Systems at lists.sugarlabs.org>
> I+D SomosAzucar.Org
> "icarito" #somosazucar en Freenode IRC
> "Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en comunión" - P. Freire
_ // Bernie Innocenti
More information about the Systems