On Mon, Apr 11, 2016 at 3:41 AM, Jonathan Dowland <j...@debian.org> wrote: > On Mon, Apr 11, 2016 at 03:18:58PM +0530, Pirate Praveen wrote: >> 1.Most people in the world including myself thought encryption was an >> optional thing two years back. >> >> 2.automating ssl was not possible before letsencrypt. Now you just need to >> click/press yes button to get an encrypted service running. > > The "normal" way this was done before letsencrypt was with the 'snake oil' > local SSL CA/cert and self-signing. Obviously not suitable for production use, > but perfectly fine for an initial install/testing; it is also simpler than > worrying about talking to LE (especially in a postinst/root/possibly > unattended > context) and a more appropriate initial state for a private/corporate install. >
I feel like tossing in my two cents as well since this would likely impact me down the road... I'm also against a package such as gitlab (or drupal, wordpress, dokuwiki, etc.) trying to mess around with my TLS certificates. I'm also very much opposed to it even being a prompt during installation. I'm well aware that gitlab-ci is a beast (and a kludgy mess... god save your soul taking on that feller), but an initial installation should be getting things going and being out of the users face. In most situations, I would venture a guess that gitlab is sitting on internal servers and not publicly accessible. That kinda puts a damper on nice automated ssl with letsencrypt, doesn't it? (k.. not always, but in the typical situation) However, that old option with snakeoil... that still works in these environments. I personally use the letsencrypt infrastructure for some projects, but refuse to use their incredibly bloated client stuff. I use alternative client tools that suite my needs much better than the letsencrypt app does. If anything, shouldn't it be the web server (nginx, tengine, etc.) that would "suggest" letsencrypt? They won't recommend/suggest that package because SSL is a separate thing entirely. I would dare say, at this point, most admins that care about encryption also implement automation tools such as salt and ansible and already have well tested systems in place for certificates. In this particular case, I would suggest first making letsencrypt a Suggests. Then, I would suggest considering snakeoil for the https or just installing with http-only and providing a documented tool for moving to using letsencrypt. You and I both know that we're only talking about a web server configuration... shouldn't the web server be the one suggesting it? ... it doesn't because the web server packages consider SSL/TLS to be its own thing entirely that shouldn't be mixed in with other package deployments. tl;dr .. my opinion: letsencrypt should be a suggests; gitlab should do either https or do a self-signed cert; and letsencrypt integration should come post-install Just my opinions/thoughts. :)
