With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.
Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.
(Score: 3, Informative) by The Mighty Buzzard on Thursday March 14 2019, @06:00PM (7 children)
dns-01 challenges are required for wildcard certs. I don't want to automate DNS changes, I prefer to screw those up on my own. Otherwise it would be a "run this script and go back to what you were doing" thing.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Thursday March 14 2019, @06:35PM
That's sensible. I'm not a huge fan of wildcard certs, but I can see how they'd be quite useful in the SN environment.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NewNic on Thursday March 14 2019, @08:30PM (5 children)
Don't use wildcards.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Thursday March 14 2019, @09:41PM (4 children)
We have many different things serving up http pages for all the hostnames we have on many different boxes. And we have hostnames that don't have web content associated with them at all. It was always a much bigger pain in the ass managing the multi-name certs than having to manually update four values in DNS every few months.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Thursday March 14 2019, @09:55PM (3 children)
For a traditional certificate issuance, I can see that. With Let's Encrypt, it is trivial to manage multi-name certs. For those machines without a web server, you can use the Standalone plugin, which starts its own web server.
Oh well, if you want to persist with an error-prone and time wasting process, who am I to argue with you.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Friday March 15 2019, @12:38AM (2 children)
You're not understanding how much of a mess our setup is. If you put all the hostnames that just beryllium uses in one cert, you have to make more than one webserver with many different vhosts on them serve the right response for each and every vhost (certbot trying to do this automatically breaks half the vhosts), then you have to make the multiple irc hostnames serve up the proper response, then you have to make the mail server hostnames serve up the right response. And when you want to add or remove a hostname from use on the box, you have to redo the cert from scratch.
Seriously, it's much quicker and easier to use a wildcard cert. I've never had a multihost SN cert take less than an hour worth of work to renew.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Friday March 15 2019, @06:53PM (1 child)
No, you exclude the "/.well-known" location from the Vhosts. This can be achieved with an alias command.
https://community.letsencrypt.org/t/apache-multidomain-webroot/10663 [letsencrypt.org]
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Saturday March 16 2019, @12:43AM
Or I could do like I'm doing and never have to touch the configs of anything but the one we pull the cert from. And never have to remake the entire enormous cert, hoping I don't miss a hostname but knowing I will, if Deucalion thinks we need a new IRC hostname on one of the existing boxes.
My rights don't end where your fear begins.