[AC-Admins] irc.anthrochat.net
Scott Garron
simba at anthrochat.net
Tue Oct 18 18:30:15 EDT 2016
On 10/18/2016 11:19 AM, Cheetah wrote:
> The server which provides the root CA conveniently committed hardware
> suicide recently.
I was wondering about that, 'cause I normally send people there to
grab the CA Cert whenever they bring up the fact that AnthroChat's certs
aren't verifiable. Then, I went there, myself, and it wouldn't come up.
> I'll work on getting something back up, though it may be a bit given
> RL workload.
Honestly, I think we should just migrate to using Let's Encrypt
certs. They're already in the trust chain on most operating systems,
they're pretty easy to set up/renew, and they're free (as in beer).
If each of the servers exports the DocumentRoot directory for
http://servername.anthrochat.net/ via NFS and sticks my server's IP in
hosts.allow for portmap, I can mount it so that certbot can put the
verification info in the right places (.well-known) for certificate
creation/renewal. To make the NFS mount a little more secure, we could
set up a tinc VPN or IPSec tunnel for it. Otherwise, I'll need to
hijack DNS each time and have all of the server names point to lion's
IP until I finish renewing the certs and then change it back.
Anyhoo... I realize that it's an initial setup hassle, but once
it's good to go, there should be little to no maintenance on it.
--
Simba
More information about the Admins
mailing list