[Qa-debsources] upcoming SSL cert expiry and letsencrypt
Orestis Ioannou
orestis at oioannou.com
Wed Dec 2 01:12:37 UTC 2015
heya,
So to install it on wheezy one need to clone the repo and then run
letsencrypt-auto
It will install these dependencies from apt:
git python python-dev python-virtualenv gcc dialog libaugeas0 libssl-dev
libffi-dev ca-certificates
and then it creates a virtual env and install lets-encrypt from pypi.
You don't have to run the script as root (in the file it says not
recommended) but it will require sudo to install the deps.
You can launch letsencrypt-auto to get only a cert (without configuring
apache etc) by specifying the domain and email,
There is another option: running it inside docker. This avoids
installing the dependencies system wide.
They have the dockerfile and the command to start it.. Once you run
letsencrypt by specifying the domain it will get the certificate and put
it in the host machine.. (thats what the docs say.. couldn't test it
because it fails due to my email not in the beta) So i guess the next
step would just be to replace the certs since apache is already
configuered.. I ll test this better (getting a cert etc when the public
beta is on)
Anyway both ways require sudo at some time so what do you think its the
best way to proceed?
Cheers,
Orestis
On 11/26/2015 01:56 PM, Matthieu Caneill wrote:
> On Thu, Nov 26, 2015 at 11:35:04AM +0100, Stefano Zacchiroli wrote:
>> That's correct. And thanks to you too. Sounds like you and Orestis are a
>> well-formed team for handling this :)
>
> Yep, only blocker could be read/write rights on some /etc/apache2
> files.
>>
>>> Zack: do you know for how long the Let's Encrypt certificates will be
>>> valid? 1 year?
>>
>> 3 months, the rationale is here (and I agree with it):
>>
>> https://letsencrypt.org/2015/11/09/why-90-days.html
>>
>> So in addition to one-off certificate, what it will need doing is
>> actually automating the renewal process, so that we have to worry only
>> once about the setup.
>
> Indeed 90 days make sense with automation :)
>
> Thanks!
>
> --
> Matthieu
>
> _______________________________________________
> Qa-debsources mailing list
> Qa-debsources at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/qa-debsources
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/qa-debsources/attachments/20151202/beda14ed/attachment.sig>
More information about the Qa-debsources
mailing list