| 1 |
Karl: |
| 2 |
> Michael Orilitzky: |
| 3 |
|
| 4 |
Sorry, I mistyped, it should be: Peter Humphrey |
| 5 |
|
| 6 |
> ... |
| 7 |
> > * The LetsEncrypt certificates expire after three months, as opposed |
| 8 |
> > to 10+ years for a self-signed certificate. You're supposed to |
| 9 |
> > automate this... by running a script as root that takes input from |
| 10 |
> > the web? I'd rather not do that. |
| 11 |
> |
| 12 |
> You can run most part of it as an unpriviliged user, here is my crontab: |
| 13 |
> 0 0 1 * * acme /usr/local/sbin/acme_update.sh |
| 14 |
> 10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem |
| 15 |
> 20 0 1 * * root /etc/init.d/lighttpd restart |
| 16 |
> |
| 17 |
> One could add a check to make sure that the downloaded crt is sensible. |
| 18 |
> |
| 19 |
> > * LetsEncrypt verifies your identity over plain HTTP (like every other |
| 20 |
> > commercial CA), so it's all security theater in the first place. |
| 21 |
> ... |
| 22 |
> |
| 23 |
> Ack. |
| 24 |
|
| 25 |
Regards, |
| 26 |
/Karl Hammar |
Archives