[AC-Admins] irc.anthrochat.net
Pippin Bear
pippin at floof.org
Wed Oct 19 10:44:42 EDT 2016
On Tue, Oct 18, 2016 at 10:07:51PM -0400, Scott Garron wrote:
> Yeah, that's basically how I described it in the second post except
Yep, I saw your second email just after I'd sent mine. Great minds
thinking alike and all that ;)
> 2. The irc.anthrochat.net rotary. The cert that's on every IRC server
Ah yes, true, a single cert listing every server and rotary would let
you also do things like pointing DNS for one server to another one
if it failed, and would be needed for the rotaries anyway. I hadn't
considered that.
I would think if we have no particular need for HTTP on each server,
the DNS verification method might need the least coordination (on the
other hand deploying the certs still needs to happen every 2-3 months
anyway). One way might be to run a copy of BIND on the machine doing the
certificates, with an out-of-the-way domain delegated to it, and CNAME
the appropriate records into that domain. That way you don't need the
LE client to be able to manipulate the main anthrochat.net zone directly.
This worked for me recently - got a client to add
_acme-challenge.clientdomain.com. CNAME clientchallenge1.ourdomain.com.
to DNS and we then fulfilled the challenge using
clientchallenge1.ourdomain.com. TXT "blahwibble"
Worked well for getting a new certificate set up before clientdomain.com
was pointed at our servers - we couldn't use HTTP at that point as they
apparently didn't have the wherewithall to add an HTTP redirect.
Pippin
More information about the Admins
mailing list