With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.
Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.
(Score: 4, Interesting) by isostatic on Thursday March 14 2019, @04:05PM (12 children)
1) Your monitoring infrastructure should be testing all your certs anyway, so any that are due for renewal get flagged up as warnings, and that are invalidly deployed or expired get flagged up as criticals
2) You should be automating this -- at the very least have a process that generates the correct number and contents of CSRs in the right format to send to your certificate authority, even if it doesn't automatically renew them
3) you should be planning on reducing your certs from 2 years, not just for security reasons (and that's good enough anyway), but because CAB are likely going to be pushing it down to 1 year relatively soon anyway.
(Score: 5, Informative) by martyb on Thursday March 14 2019, @04:44PM (11 children)
Last things, first... our new certs (from Let's Encrypt) are set to expire on: Wednesday, June 12, 2019. So we are already at renewing every 3 months They kindly send out an email giving us a few weeks' advance notice of expiring certs.
Next, there is some automation in place, but with checks along the way for manual confirmation before advancing to the next step.
As for the other points, waaay back when, someone stood up an instance of Icinga [icinga.com]. They left, things changed, and it was not maintained. Eventually it was shut down. (Spoken only as an observer; I had nothing to do with the rollout or shutdown.)
My focus/skill lies more on the upper layers of the software stack. Not so much with the setting up and running of the underlying services on which SoylentNews depends (Bind, Apache, MySql, Nginx, Perl, email, IRC, etc.) Further, we have a mix of OS platforms. Last I checked, we have one Centos, one OpenVZ (our backup server -- IIRC, it's an entirely different provider), a couple on gentoo, and the rest on Ubuntu LTS.
Have you any experience with a mixed environment and can make a recommendation (preferably one that is light weight in resource needs)?
Even better, would you like to volunteer? =)
Wit is intellect, dancing.
(Score: 2) by NewNic on Thursday March 14 2019, @05:38PM
My recommendation is to get rid of the mixed environment.
Pick a distro that is supported long term and use only that. Multiple distros provide needless complications.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Informative) by NewNic on Thursday March 14 2019, @05:40PM (9 children)
And how well is that working out for you?
If you fully automate it, you will have to fully fix any issues in the process.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 4, Informative) by The Mighty Buzzard on Thursday March 14 2019, @05:56PM (4 children)
I decided against automating changes to DNS for dns-01 challenges from LetsEncrypt. I prefer to make the whole domain utterly unreachable manually.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Thursday March 14 2019, @08:27PM (3 children)
Why not use http challenges instead?
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Informative) by The Mighty Buzzard on Thursday March 14 2019, @09:33PM (2 children)
You can't on wildcard certs.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Thursday March 14 2019, @09:42PM (1 child)
So don't use wildcards. Let's encrypt makes it very easy to use certs with multiple names in them.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Friday March 15 2019, @12:28AM
Sure, if you're hosting everything on one box with one webserver to do the authing. Using them on our network is complicated as nine kinds of fuck though.
My rights don't end where your fear begins.
(Score: 3, Informative) by isostatic on Thursday March 14 2019, @08:32PM (3 children)
Looks like they moved to wildcard certs for
DNS Name: *.soylentnews.org
DNS Name: *.sylnt.us
DNS Name: soylentnews.org
DNS Name: sylnt.us
last July.
However before then there were 17 certs with lets encrypt
chat.soylentnews.org
chat.sylnt.us
dev.soylentnews.org
irc1.sylnt.us
irc2.sylnt.us
irc-logs.soylentnews.org
irc.soylentnews.org
irc-stats.soylentnews.org
irc.sylnt.us
lists.soylentnews.org
logs.sylnt.us
mail.soylentnews.org
postfixadmin.soylentnews.org
stats.sylnt.us
vm.soylentnews.org
webmail.soylentnews.org
wiki.soylentnews.org
There was also a cert for www.soylentnews.org with Gandi, but that expired last june. Go back to 2015 and there was also "chillax.soylentnews.org", which had a Startcom cert (I think they were free -- they were/are a Chinese CA that got into some wrongdoing a couple of years ago)
All of those appear to host pages on port 80, so I'm interested in the reason to not use /.well-known/acme-challange authentication, with a weekly renewal cronjob running. Avoid spreading a wildcard cert/key so far and wide, and have nothing manual to do.
(Score: 2) by NewNic on Thursday March 14 2019, @08:52PM
Exactly.
It's very easy to have multiple names in a certificate with Let's encrypt.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Thursday March 14 2019, @09:34PM (1 child)
You can't use http challenges for wildcard certs, must be dns-01.
My rights don't end where your fear begins.
(Score: 2) by isostatic on Friday March 15 2019, @04:35PM
Which goes back to the question of why use a wildcard cert