Joseph Tam
2017-Aug-18 07:24 UTC
is a self signed certificate always invalid the first time
Michael Felt <michael at felt.demon.nl> writes:>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >> written in pure shell script, so no python dependencies. >> https://github.com/Neilpang/acme.sh > > Thanks - I might look at that, but as Ralph mentions in his reply - > Let's encrypt certs are only for three months - never ending circus.I wouldn't characterize it as a circus. Once you bootstrap your first certificate and install the cert-renew cron script, it's not something you have to pay a lot of attention to. I have a few LE certs in use, and I don't think about it anymore: it just works. The shorter cert lifetime also helps limit damage if your certificate gets compromised. Joseph Tam <jtam.home at gmail.com>
Stephan von Krawczynski
2017-Aug-18 08:05 UTC
is a self signed certificate always invalid the first time
On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) Joseph Tam <jtam.home at gmail.com> wrote:> Michael Felt <michael at felt.demon.nl> writes: > > >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is > >> written in pure shell script, so no python dependencies. > >> https://github.com/Neilpang/acme.sh > > > > Thanks - I might look at that, but as Ralph mentions in his reply - > > Let's encrypt certs are only for three months - never ending circus. > > I wouldn't characterize it as a circus. Once you bootstrap your first > certificate and install the cert-renew cron script, it's not something > you have to pay a lot of attention to. I have a few LE certs in use, > and I don't think about it anymore: it just works. > > The shorter cert lifetime also helps limit damage if your certificate > gets compromised. > > Joseph Tam <jtam.home at gmail.com>Obviously you do not use clustered environments with more than one node per service. Else you would not call it "it just works", because in fact the renewal is quite big bs as one node must do the job while all the others must be _offline_. -- Regards, Stephan
Richard Hector
2017-Aug-20 00:26 UTC
is a self signed certificate always invalid the first time
On 18/08/17 20:05, Stephan von Krawczynski wrote:> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam <jtam.home at gmail.com> wrote: > >> Michael Felt <michael at felt.demon.nl> writes: >> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >>>> written in pure shell script, so no python dependencies. >>>> https://github.com/Neilpang/acme.sh >>> >>> Thanks - I might look at that, but as Ralph mentions in his reply - >>> Let's encrypt certs are only for three months - never ending circus. >> >> I wouldn't characterize it as a circus. Once you bootstrap your first >> certificate and install the cert-renew cron script, it's not something >> you have to pay a lot of attention to. I have a few LE certs in use, >> and I don't think about it anymore: it just works. >> >> The shorter cert lifetime also helps limit damage if your certificate >> gets compromised. >> >> Joseph Tam <jtam.home at gmail.com> > > Obviously you do not use clustered environments with more than one node per > service. > Else you would not call it "it just works", because in fact the renewal is > quite big bs as one node must do the job while all the others must be > _offline_. >Couldn't the others just proxy to the one, for the .well-known directory? They can continue serving up the rest of the site fine, surely? I've worked with clusters, and with LE/certbot, but not yet both together. Richard
KT Walrus
2017-Aug-20 01:39 UTC
is a self signed certificate always invalid the first time
> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com> wrote: > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam <jtam.home at gmail.com> wrote: > >> Michael Felt <michael at felt.demon.nl> writes: >> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >>>> written in pure shell script, so no python dependencies. >>>> https://github.com/Neilpang/acme.sh >>> >>> Thanks - I might look at that, but as Ralph mentions in his reply - >>> Let's encrypt certs are only for three months - never ending circus. >> >> I wouldn't characterize it as a circus. Once you bootstrap your first >> certificate and install the cert-renew cron script, it's not something >> you have to pay a lot of attention to. I have a few LE certs in use, >> and I don't think about it anymore: it just works. >> >> The shorter cert lifetime also helps limit damage if your certificate >> gets compromised. >> >> Joseph Tam <jtam.home at gmail.com> > > Obviously you do not use clustered environments with more than one node per > service. > Else you would not call it "it just works", because in fact the renewal is > quite big bs as one node must do the job while all the others must be > _offline_. > > -- > Regards, > StephanI use DNS verification for LE certs. Much better since generating certs only depends on access to DNS and not your HTTP servers. Cert generation is automatic (on a cron job that runs every night looking for certs that are within 30 days of expiration). Once set up, it is pretty much automatic. I do use Docker to deploy all services for my website which also makes things pretty easy to manage. Kevin
Apparently Analagous Threads
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- mtime handling seems generally buggy for directories