[ocaml-infra] expiration SSL certificate
François Bobot
francois.bobot at cea.fr
Tue Sep 13 13:26:36 BST 2016
On 13/09/2016 10:51, Anil Madhavapeddy wrote:
> On 10 Sep 2016, at 15:42, Xavier Leroy <Xavier.Leroy at inria.fr> wrote:
>>
>> On 09/07/2016 04:21 PM, Ashish Agarwal wrote:
>>> IIRC, this was particularly relevant for the opam sub-domain, so cc-ing the
>>> opam-devel list. Can any opam dev please confirm. If it is still needed, we
>>> should act quick to update this.
>>
>> I'm positive you need secure connections for lists.ocaml.org as well
>> (to protect the passwords of list administrators and subscribers).
>
> That's correct -- the current Gandi SSL certificate had a few subdomains to
> deal with as well, so all of those need to be renewed.
>
> I've been experimenting with Letsencrypt on a few other domains, and it
> is mostly working fine except that certificates are only issued for 90 days.
> This means that it's essential to implement autorenewal via the Acme API,
> or else domains will expire rather rapidly.
>
The auto-renewal tools that already exists (even if not in ocaml) are working very well, and are
easy to deploy. On debian testing the package certbot is very straight-forward to use in webroot
mode with any webserver that can serve files for "http://mydomain.org/.well-known/acme-challenge/*"
from a directory and that can be reloaded/restarted to take into account the new keys. The cronjob
is already configured.
--
François
More information about the Infrastructure
mailing list