Michael Orilitzky: ... > * The LetsEncrypt certificates expire after three months, as opposed > to 10+ years for a self-signed certificate. You're supposed to > automate this... by running a script as root that takes input from > the web? I'd rather not do that.
You can run most part of it as an unpriviliged user, here is my crontab: 0 0 1 * * acme /usr/local/sbin/acme_update.sh 10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem 20 0 1 * * root /etc/init.d/lighttpd restart One could add a check to make sure that the downloaded crt is sensible. > * LetsEncrypt verifies your identity over plain HTTP (like every other > commercial CA), so it's all security theater in the first place. ... Ack. Regards, /Karl Hammar
