[opam-devel] [ocaml-infra] expiration SSL certificate

Anil Madhavapeddy anil at recoil.org
Tue Sep 13 09:51:00 BST 2016

On 10 Sep 2016, at 15:42, Xavier Leroy <Xavier.Leroy at inria.fr> wrote:
> On 09/07/2016 04:21 PM, Ashish Agarwal wrote:
>> IIRC, this was particularly relevant for the opam sub-domain, so cc-ing the
>> opam-devel list. Can any opam dev please confirm. If it is still needed, we
>> should act quick to update this.
> I'm positive you need secure connections for lists.ocaml.org as well
> (to protect the passwords of list administrators and subscribers).

That's correct -- the current Gandi SSL certificate had a few subdomains to
deal with as well, so all of those need to be renewed.

I've been experimenting with Letsencrypt on a few other domains, and it
is mostly working fine except that certificates are only issued for 90 days.
This means that it's essential to implement autorenewal via the Acme API,
or else domains will expire rather rapidly.

This is generally a good excuse to examine the state of the various
infrastructures to determine how auto-update friendly they all are. There
is an ocaml-acme client under development at:
...but it requires a release of OCaml-X509 to expose some extra CSR
information.  Hannes, is there a release of that scheduled, or should I
look at an alternative mechanism for our auto-updated certs?

> Now that Anil is a successful businessman, who is administering the
> *.ocaml.org Web servers and DNS ?

Happily, this businessman is still administering the servers, albeit with
a slightly higher latency...


More information about the opam-devel mailing list