[conspire] Lets Encrypt
Ruben Safir
ruben at mrbrklyn.com
Thu May 7 07:08:34 PDT 2020
On Wed, May 06, 2020 at 10:01:09PM -0700, Michael Paoli wrote:
> >From: "Rick Moen" <rick at linuxmafia.com>
> >Subject: Re: [conspire] Lets Encrypt
> >Date: Wed, 6 May 2020 20:46:07 -0700
>
> >Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
> >
> >>>From: "Ruben Safir" <ruben at mrbrklyn.com>
> >>>Subject: [conspire] Lets Encrypt
> >>>Date: Wed, 6 May 2020 16:11:55 -0400
>
> >>>Has anyone used it successfully?
> >>
> >>Heck yeah! Been usin' it for years now!
> >>It's not *that* hard.
> >
> >I think Ruben might appreciate a look at your implementation scripts,
> >Michael.
>
> Yup, ... watch this space for updates. ;-)
>
Thanks
I am sick of banging my head on this. I wish I could do this
with a wildcard domain, which evidently needs to be done through
DNS. There instructions (IMO) are completely incoherent on this.
> In the meantime, for starters on part of that ...
>
> So, part of that infrastructure ... to do and also automate
> wildcard certs ... verification of those with letsencrypt.org CA
> requires verification via DNS. And to automate that, I'm using
> dynamic update on DNS. With BIND9 (not the only possible way,
> but the way I've implemented it). So, anyway, that bit of
> infrastructure, also on Debian (now on stable), with bind9,
> dynamic updates, also have chroot and DNSSEC.
>
> Anyway, recently, I updated/fixed fair bit 'o relevant stuff
> on Debian's wiki pages. So, to look over a lot of how one might
> typically set much of that up, have a look around these wiki
> pages ... note also, some of them cover various methods and versions,
> so one might be well advised to read (or at least skim) all of the
> relevant pages first, rather than just dive in and try and do it
> straight step-by-step. Notably also, with the chroot stuff,
> as noted on some of the applicable wiki page(s), I've got it
> set up with symbolic link(s) and bind mount(s) ... so the
> chroot stuff not only works in the chroot, but also functions (or
> will/would) function outside of the chroot ... but notably and
> conveniently along with that, most stuff outside the chroot that
> does/would interact with it, can do quite seamlessly, as if it
> wasn't in the chroot ... notably accessing requisite bits with
> same logical paths (via symbolic link(s) and/or bind mounts).
> Anyway, wiki pages:
> https://wiki.debian.org/Bind9
> https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+
> https://wiki.debian.org/DNSSEC
> The above wiki pages may not (well?) cover dynamic DNS, but for
> BIND9, that's quite well covered in the BIND9 documentation:
> https://kb.isc.org/docs/aa-01031 (be sure to look at the specific
> corresponding version), and isn't particularly Debian-specific.
> (and as I peek at wiki pages, I see a reference link that ought be
> improved ... time for me to do that :-))
>
> "Of course" if one isn't doing any wildcards, can verify via specific
> placed text bits on, e.g. webserver - so could potentially go that
> route and not have to muck with DNS at all for verification for
> obtaining certs. But DNS is more flexible verification, can do
> those *and* validate for wildcard certs if/as desired.
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
More information about the conspire
mailing list