Stories
Slash Boxes
Comments

SoylentNews is people

Meta
posted by martyb on Thursday June 17 2021, @11:19AM   Printer-friendly

Last night (actually, very early this morning) mechanicjay generated and installed new Let's Encrypt certs for our servers.

I made a quick check and everything seems to be in place. The old certs were due to expire right about now, so if you do have any issues, please pop onto IRC (preferred) or reply here and let us know!

Thanks mechanicjay!


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Thursday June 17 2021, @12:42PM

    by Anonymous Coward on Thursday June 17 2021, @12:42PM (#1146442)

    > Site Upates:

    Same high quality, now with missing consonants!

  • (Score: 1, Interesting) by Anonymous Coward on Thursday June 17 2021, @01:13PM (5 children)

    by Anonymous Coward on Thursday June 17 2021, @01:13PM (#1146455)

    Out of interest, why not just run certbot and have it do that for you automatically? I'm probably missing something and asking a dumb question but if I have the question, then others likely do to, so I'll play the dumb one.

    • (Score: 4, Interesting) by janrinok on Thursday June 17 2021, @01:28PM

      by janrinok (52) Subscriber Badge on Thursday June 17 2021, @01:28PM (#1146461) Journal

      Explanation copied from IRC. SoyCow5342 is the AC who asked the question above.

      <requerdanos> a partial answer is that certbot is essentially intended to simplify the process of installing certificates for websites, whereas soylent uses them for other servers as well (mail, irc)
      <janrinok> SoyCow5342, there have been problems in the past where the automatic update did not do the update correctly and left us having to try to recover using the linode software alone.  However, we now think that that problem might have been solved so we are running the automatic scripts 'manually' to check that everything behaves.
      <requerdanos> another piece is that if something were to go wrong mid-cert-update, an automatic process might take more troubleshooting (=more downtime) than a manual one where you know where you were
      <janrinok> as it is, all the essential boxes have updated correctly but, as requerdanos has pointed out, some of the others still need some work.
      <janrinok> That is why MartyB was asking for any information if you see things are not behaving as you would expect them to.

    • (Score: 0) by Anonymous Coward on Thursday June 17 2021, @02:52PM

      by Anonymous Coward on Thursday June 17 2021, @02:52PM (#1146498)

      ... asking for a friend (he's so dumb, couldn't dumb it down enough).

    • (Score: 5, Informative) by mechanicjay on Thursday June 17 2021, @04:28PM (2 children)

      Because Let's Encrypt requires a DNS TXT record for domain validation in order to pull wildcard certs. As we run our own bind and don't rely on a "DNS provider" with an API that certbot can twiddle, it makes it a manual process. Once we have the cert, the installation and service restarts are all scripted.
      --
      My VMS box beat up your Windows box.
      • (Score: 1, Interesting) by Anonymous Coward on Friday June 18 2021, @05:17AM

        by Anonymous Coward on Friday June 18 2021, @05:17AM (#1146857)

        No such API on BIND? What version are you running that doesn't support TSIG? That is the standard way to do this, after all. Just generate a TSIG key and restrict its update policy to TXT records for _acme-challenge.soylentnews.org.

      • (Score: 0) by Anonymous Coward on Friday June 18 2021, @03:09PM

        by Anonymous Coward on Friday June 18 2021, @03:09PM (#1146965)

        "Because Let's Encrypt requires a DNS TXT record for domain validation in order to pull wildcard certs."

        We had this issue with namecheap. It was reason enough for me to dump them, especially after they claimed that eff's certificates were not as secure -- I trust eff.org FAR MORE than most of the paid certificates.

        Now we use dreamhost. I don't know what other hosting companies support certbot, but I do know it is a p.i.t.a. to switch.

  • (Score: 2) by mechanicjay on Thursday June 17 2021, @04:29PM

    Last night (actually, very early this morning) mechanicjay generated...

    It was most certainly still evening for me when I did it! :)

    --
    My VMS box beat up your Windows box.
(1)