[AC-Admins] irc.anthrochat.net
Pippin Bear
pippin at floof.org
Tue Oct 18 20:57:22 EDT 2016
On Tue, Oct 18, 2016 at 06:30:15PM -0400, Scott Garron wrote:
> Honestly, I think we should just migrate to using Let's Encrypt
> certs. They're already in the trust chain on most operating systems,
> they're pretty easy to set up/renew, and they're free (as in beer).
>
> If each of the servers exports the DocumentRoot directory for
The way I do it is each machine has this on it:
$ cat /etc/apache2/conf.d/local-acme-challenge
Redirect /.well-known/acme-challenge/ https://control.servology.co.uk/.well-known/acme-challenge/
...and I do all the certs on the machine named control. However, even
easier ought to be just to run a LE client on each machine (I'm intending
to migrate to that eventually now that I'm familiar with how it all works
- the centralised setup was supposed to just be while I learned). No need
to copy certificates around or hijack DNS or run NFS or redirect anything,
although we would need to run an HTTP server on each machine at least for
a few seconds every couple of months while certificates are being renewed.
Alternatively, use dns-01 challenges, which you can fulfil with a TXT
record per hostname in the anthrochat.net zone file. letsencrypt.sh
supports them, given a hook script - mine just echos the RRs, I paste
them into the zone file, press return when I'm ready, and certificates
come out of the grinder.
Pippin
More information about the Admins
mailing list