1 |
Michael Orilitzky: |
2 |
... |
3 |
> * The LetsEncrypt certificates expire after three months, as opposed |
4 |
> to 10+ years for a self-signed certificate. You're supposed to |
5 |
> automate this... by running a script as root that takes input from |
6 |
> the web? I'd rather not do that. |
7 |
|
8 |
You can run most part of it as an unpriviliged user, here is my crontab: |
9 |
0 0 1 * * acme /usr/local/sbin/acme_update.sh |
10 |
10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem |
11 |
20 0 1 * * root /etc/init.d/lighttpd restart |
12 |
|
13 |
One could add a check to make sure that the downloaded crt is sensible. |
14 |
|
15 |
> * LetsEncrypt verifies your identity over plain HTTP (like every other |
16 |
> commercial CA), so it's all security theater in the first place. |
17 |
... |
18 |
|
19 |
Ack. |
20 |
|
21 |
Regards, |
22 |
/Karl Hammar |