| 1 |
Michael Orilitzky: |
| 2 |
... |
| 3 |
> * The LetsEncrypt certificates expire after three months, as opposed |
| 4 |
> to 10+ years for a self-signed certificate. You're supposed to |
| 5 |
> automate this... by running a script as root that takes input from |
| 6 |
> the web? I'd rather not do that. |
| 7 |
|
| 8 |
You can run most part of it as an unpriviliged user, here is my crontab: |
| 9 |
0 0 1 * * acme /usr/local/sbin/acme_update.sh |
| 10 |
10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem |
| 11 |
20 0 1 * * root /etc/init.d/lighttpd restart |
| 12 |
|
| 13 |
One could add a check to make sure that the downloaded crt is sensible. |
| 14 |
|
| 15 |
> * LetsEncrypt verifies your identity over plain HTTP (like every other |
| 16 |
> commercial CA), so it's all security theater in the first place. |
| 17 |
... |
| 18 |
|
| 19 |
Ack. |
| 20 |
|
| 21 |
Regards, |
| 22 |
/Karl Hammar |
Archives