1 |
Karl: |
2 |
> Michael Orilitzky: |
3 |
|
4 |
Sorry, I mistyped, it should be: Peter Humphrey |
5 |
|
6 |
> ... |
7 |
> > * The LetsEncrypt certificates expire after three months, as opposed |
8 |
> > to 10+ years for a self-signed certificate. You're supposed to |
9 |
> > automate this... by running a script as root that takes input from |
10 |
> > the web? I'd rather not do that. |
11 |
> |
12 |
> You can run most part of it as an unpriviliged user, here is my crontab: |
13 |
> 0 0 1 * * acme /usr/local/sbin/acme_update.sh |
14 |
> 10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem |
15 |
> 20 0 1 * * root /etc/init.d/lighttpd restart |
16 |
> |
17 |
> One could add a check to make sure that the downloaded crt is sensible. |
18 |
> |
19 |
> > * LetsEncrypt verifies your identity over plain HTTP (like every other |
20 |
> > commercial CA), so it's all security theater in the first place. |
21 |
> ... |
22 |
> |
23 |
> Ack. |
24 |
|
25 |
Regards, |
26 |
/Karl Hammar |