SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 11 submissions in the queue.
SoylentNews
posted by
martyb
on Thursday March 14 2019, @02:30PM
from the certs-are-not-just-a-breath-mint dept.
from the certs-are-not-just-a-breath-mint dept.
With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.
Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
You will pass away very quickly.
(Score: 2) by NewNic on Thursday March 14 2019, @09:55PM (3 children)
For a traditional certificate issuance, I can see that. With Let's Encrypt, it is trivial to manage multi-name certs. For those machines without a web server, you can use the Standalone plugin, which starts its own web server.
Oh well, if you want to persist with an error-prone and time wasting process, who am I to argue with you.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Friday March 15 2019, @12:38AM (2 children)
You're not understanding how much of a mess our setup is. If you put all the hostnames that just beryllium uses in one cert, you have to make more than one webserver with many different vhosts on them serve the right response for each and every vhost (certbot trying to do this automatically breaks half the vhosts), then you have to make the multiple irc hostnames serve up the proper response, then you have to make the mail server hostnames serve up the right response. And when you want to add or remove a hostname from use on the box, you have to redo the cert from scratch.
Seriously, it's much quicker and easier to use a wildcard cert. I've never had a multihost SN cert take less than an hour worth of work to renew.
My rights don't end where your fear begins.
(Score: 2) by NewNic on Friday March 15 2019, @06:53PM (1 child)
No, you exclude the "/.well-known" location from the Vhosts. This can be achieved with an alias command.
https://community.letsencrypt.org/t/apache-multidomain-webroot/10663 [letsencrypt.org]
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by The Mighty Buzzard on Saturday March 16 2019, @12:43AM
Or I could do like I'm doing and never have to touch the configs of anything but the one we pull the cert from. And never have to remake the entire enormous cert, hoping I don't miss a hostname but knowing I will, if Deucalion thinks we need a new IRC hostname on one of the existing boxes.
My rights don't end where your fear begins.