[AC-Admins] irc.anthrochat.net

Scott Garron simba at anthrochat.net
Tue Oct 18 22:07:51 EDT 2016 

On 10/18/2016 08:57 PM, Pippin Bear wrote:
> The way I do it is each machine has this on it:
> 
> $ cat /etc/apache2/conf.d/local-acme-challenge Redirect 
> /.well-known/acme-challenge/ 
> https://control.servology.co.uk/.well-known/acme-challenge/
> 
> ...and I do all the certs on the machine named control.

     Yeah, that's basically how I described it in the second post except
that what I described is more confined to a specific set of host headers
instead of the whole machine.  I don't know why it didn't dawn on me
that http redirects would work before I proposed the original,
convoluted NFS method.  After I sent the first message, I tried a few
tests to see if it would work, and then sent the second message.

> However, even easier ought to be just to run a LE client on each 
> machine

     I considered that, but there were 2 reasons that I was leaning more
toward keeping it central:

1. I wasn't sure how familiar each admin already was with certbot /
Let's Encrypt, so I was taking on the task of getting up to speed with
it, myself.

2. The irc.anthrochat.net rotary.  The cert that's on every IRC server
should include irc.anthrochat.net in its list of Subject Alternative
Names so that when a client lands on it via the rotary, the certificate
still verifies for the name that they entered into their client.
Because DNS could resolve the ACME processor to any one of the active
servers, when it's attempting its verification, it has a pretty high
chance of failing.  If I generate one certificate that includes all of
the server names as Subject Alternative Names, I can just push that one
cert to all of the servers.

     Of course, centralizing it would mean that those httpds would
potentially need to be active on all of the servers all of the time.
Unless I really set up a strict schedule for when I would be renewing
the certs (and I probably will.  For now, I've been doing it "manually",
as in... I haven't put it in a cron job).

> Alternatively, use dns-01 challenges, which you can fulfil with a TXT
> record per hostname in the anthrochat.net zone file.

     I thought about that approach, but it didn't seem to have the same
level of reduced effort automation potential that the http-01 method has.

-- 
Simba

More information about the Admins mailing list