Opened 5 months ago

Closed 4 months ago

#13822 closed Bug/Something is broken (fixed)

SSL Cert for barghouti.mayfirst.org

Reported by: https://id.mayfirst.org/endisolation Owned by: https://id.mayfirst.org/jaimev
Priority: Medium Component: Tech
Keywords: LetsEncrypt Cc: https://id.mayfirst.org/jamie
Sensitive: no

Description

When I visit a site using the barghouti.mayfirst.org address, the browser tells me my clock is ahead... i don't believe I can fix it myself!

Subject: barghouti.mayfirst.org
Issuer: COMODO RSA Domain Validation Secure Server CA
Expires on: Jun 7, 2018
Current date: Jun 25, 2018

Change History (4)

comment:1 Changed 5 months ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/jamie added
  • Keywords LetsEncrypt added
  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

I've just removed ntp so that systemd-timesyncd should make sure the date and time are synced. I think we can also replace this cert with a LetsEncrypt cert, copying jamie here with a question first though.

jamie looking at our current setup I don't think we've created a way to automatically create LetsEncrypt certs through puppet for non mosh servers? Should I just go ahead with using mf-certbot to do this semi-manually, create an apache config to allow for renewal?

comment:2 Changed 5 months ago by https://id.mayfirst.org/jamie

Yes - that's the way to do it.

comment:3 Changed 5 months ago by https://id.mayfirst.org/jaimev

  • Resolution set to fixed
  • Status changed from assigned to feedback

Ok, this is setup now. To do this I've split out the VirtualHost stanzas referencing ServerName barghouti.mayfirst.org from your apache config /etc/apache2/sites-enabled/vianey_proxy.conf into its own /etc/apache2/sites-enabled/barghouti.mayfirst.org.conf and added a DocumentRoot and rewrite exception allowing LetsEncrypt challenges to ".well-known/" path to read from /var/www.

The old cert and key have been converted into symlinks pointing to the LetsEncrypt certs. Also I included the new --renew-hook option to instruct certbot to reload apache2 when the certificate renews.

comment:4 Changed 4 months ago by automatic

  • Status changed from feedback to closed

No news is good news (we hope)! Given the lack of feedback, we think this ticket can be closed.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.