Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday March 14 2019, @02:30PM   Printer-friendly
from the certs-are-not-just-a-breath-mint dept.

With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.

Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by The Mighty Buzzard on Thursday March 14 2019, @06:00PM (7 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Thursday March 14 2019, @06:00PM (#814344) Homepage Journal

    dns-01 challenges are required for wildcard certs. I don't want to automate DNS changes, I prefer to screw those up on my own. Otherwise it would be a "run this script and go back to what you were doing" thing.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by NotSanguine on Thursday March 14 2019, @06:35PM

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Thursday March 14 2019, @06:35PM (#814366) Homepage Journal

    dns-01 challenges are required for wildcard certs. I don't want to automate DNS changes

    That's sensible. I'm not a huge fan of wildcard certs, but I can see how they'd be quite useful in the SN environment.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
  • (Score: 2) by NewNic on Thursday March 14 2019, @08:30PM (5 children)

    by NewNic (6420) on Thursday March 14 2019, @08:30PM (#814432) Journal

    Don't use wildcards.

    --
    lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
    • (Score: 2) by The Mighty Buzzard on Thursday March 14 2019, @09:41PM (4 children)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Thursday March 14 2019, @09:41PM (#814499) Homepage Journal

      We have many different things serving up http pages for all the hostnames we have on many different boxes. And we have hostnames that don't have web content associated with them at all. It was always a much bigger pain in the ass managing the multi-name certs than having to manually update four values in DNS every few months.

      --
      My rights don't end where your fear begins.
      • (Score: 2) by NewNic on Thursday March 14 2019, @09:55PM (3 children)

        by NewNic (6420) on Thursday March 14 2019, @09:55PM (#814507) Journal

        It was always a much bigger pain in the ass managing the multi-name certs than having to manually update four values in DNS every few months.

        For a traditional certificate issuance, I can see that. With Let's Encrypt, it is trivial to manage multi-name certs. For those machines without a web server, you can use the Standalone plugin, which starts its own web server.

        Oh well, if you want to persist with an error-prone and time wasting process, who am I to argue with you.

        --
        lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
        • (Score: 2) by The Mighty Buzzard on Friday March 15 2019, @12:38AM (2 children)

          You're not understanding how much of a mess our setup is. If you put all the hostnames that just beryllium uses in one cert, you have to make more than one webserver with many different vhosts on them serve the right response for each and every vhost (certbot trying to do this automatically breaks half the vhosts), then you have to make the multiple irc hostnames serve up the proper response, then you have to make the mail server hostnames serve up the right response. And when you want to add or remove a hostname from use on the box, you have to redo the cert from scratch.

          Seriously, it's much quicker and easier to use a wildcard cert. I've never had a multihost SN cert take less than an hour worth of work to renew.

          --
          My rights don't end where your fear begins.
          • (Score: 2) by NewNic on Friday March 15 2019, @06:53PM (1 child)

            by NewNic (6420) on Friday March 15 2019, @06:53PM (#814956) Journal

            If you put all the hostnames that just beryllium uses in one cert, you have to make more than one webserver with many different vhosts

            No, you exclude the "/.well-known" location from the Vhosts. This can be achieved with an alias command.
            https://community.letsencrypt.org/t/apache-multidomain-webroot/10663 [letsencrypt.org]

            --
            lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
            • (Score: 2) by The Mighty Buzzard on Saturday March 16 2019, @12:43AM

              by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Saturday March 16 2019, @12:43AM (#815184) Homepage Journal

              Or I could do like I'm doing and never have to touch the configs of anything but the one we pull the cert from. And never have to remake the entire enormous cert, hoping I don't miss a hostname but knowing I will, if Deucalion thinks we need a new IRC hostname on one of the existing boxes.

              --
              My rights don't end where your fear begins.