<div dir="ltr">Hello guys,<div><br></div><div>I've installed a Let's Encrypt (LE) SSL certificate for <a href="http://www.sugarlabs.org">www.sugarlabs.org</a> and <a href="http://nagios.sugarlabs.org">nagios.sugarlabs.org</a>. Currently, this last one has a plain html for testing.</div><div><br></div><div>I've documented in our wiki how to install a LE client, and how to get and renew a certificate [1]. Also, I've written a little script for automate the renewal process. This is based on [2] but it can read many config files and fixes a problem with the expiration time calculation (rounding).</div><div><br></div><div>In summary, the main idea is to have one config file for each subdomain and hence one certificate per subdomain. Each config file is straightforward. The renewal script uses it to renew the certificate for each subdomain automatically. It is executed everyday (maybe it could run weekly).</div><div><br></div><div>Alternatively, we can use one certificate with many subAltNames. In this case everytime we want to add a new site we will have to renew the certificate for all sites. In this case, we will only have one certificate to maintain and we can have a global include file for adding HTTPS support to all sites in the web server.</div><div><br></div><div>Before moving every cert to LE, I would like to discuss how to continue.</div><div><br></div><div>Best regards,</div><div><br></div><div>Samuel C.</div><div><br></div><div>[1] <a href="https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt">https://wiki.sugarlabs.org/go/Sysadmin/Letsencrypt</a></div><div>[2] <a href="https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certificate">https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certificate</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 2, 2016 at 9:37 AM, Bernie Innocenti <span dir="ltr"><<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">By the way, the *.<a href="http://sugarlabs.org" rel="noreferrer" target="_blank">sugarlabs.org</a> certificate issued by Gandi is weak<br>
(SHA1withRSA) and will start issuing warnings on browsers very soon:<br>
<br>
<a href="https://www.ssllabs.com/ssltest/analyze.html?d=sugarlabs.org" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=sugarlabs.org</a><br>
<br>
So we should really work on a replacement as soon as possible.<br>
<br>
There's a little problem with Let's Encrypt: Windows XP does not trust<br>
it, and not even Chrome works when running on XP because it uses the<br>
Windows certificate store. Normally I wouldn't give a flying damn about<br>
supporting Microsoft's abandonware OS, but education institutions in<br>
developing countries are likely to be still using ancient computers.<br>
<br>
Indeed, AWstat shows that 20.3% of our web traffic came from XP in Jun 2015:<br>
<br>
<a href="http://stats.sugarlabs.org/sugarlabs.org/awstats.pl?month=06&year=2015&output=main&config=stats.sugarlabs.org&framename=index" rel="noreferrer" target="_blank">http://stats.sugarlabs.org/sugarlabs.org/awstats.pl?month=06&year=2015&output=main&config=stats.sugarlabs.org&framename=index</a><br>
<br>
We no longer have up-to-date information now that <a href="http://www.sugarlabs.org" rel="noreferrer" target="_blank">www.sugarlabs.org</a> runs<br>
in a container. Sam, could you do something to copy the weblogs back to<br>
sunjammer for analysis?<br>
<div class="HOEnZb"><div class="h5"><br>
On 01/02/2016 12:56 PM, Bernie Innocenti wrote:<br>
> On 01/02/2016 12:12 PM, Sam P. wrote:<br>
>> On Sat, Jan 2, 2016, 10:07 PM Bernie Innocenti <<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a>> wrote:<br>
>><br>
>>> On 01/02/2016 11:52 AM, Samuel Cantero wrote:<br>
>>>> Cool! I haven't heard about it before! I'll do it.<br>
>>><br>
>>> Sunjammer might be too old to run this stuff. Can we start with<br>
>>> <a href="http://www.sugarlabs.org" rel="noreferrer" target="_blank">www.sugarlabs.org</a>?<br>
>>><br>
>><br>
>> WWW is on freedom now.<br>
>><br>
>> It installs via a python virtual environment thing, so maybe that's OK for<br>
>> sunjammer?<br>
>><br>
>><br>
>>> Or maybe make a container to obtain specific certificates for all our<br>
>>> subdomains? Not sure if we should have one wildcard certificate<br>
>>> installed everywhere or several specific ones for each site...<br>
>>><br>
>><br>
>> Let's encrypt doesn't support wildcards, and probably will now due to<br>
>> challenges of automatically verifying ownership.<br>
>><br>
>> That's annoying as the wildcard currently simplify creating new ssl sites<br>
>> to simply including the slo shared config. Maybe we can make a script that<br>
>> automates setting up nginx with a new subdomain?<br>
><br>
> Not sure which strategy will be most convenient... Up to you.<br>
><br>
> Certificates must be renewed monthly from a cronjob (they expire in just<br>
> 90 days), so the script for a new site should record the hostname<br>
> somewhere where the renew script can find it. Perhaps someone has<br>
> already created some letsencrypt glue for websites hosted in docker<br>
> containers?<br>
><br>
<br>
<br>
--<br>
_ // Bernie Innocenti<br>
\X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a><br>
</div></div></blockquote></div><br></div>