Karl: > Michael Orilitzky: Sorry, I mistyped, it should be: Peter Humphrey
> ... > > * The LetsEncrypt certificates expire after three months, as opposed > > to 10+ years for a self-signed certificate. You're supposed to > > automate this... by running a script as root that takes input from > > the web? I'd rather not do that. > > You can run most part of it as an unpriviliged user, here is my crontab: > 0 0 1 * * acme /usr/local/sbin/acme_update.sh > 10 0 1 * * root cat /etc/acme-tiny/domain.key > /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem > 20 0 1 * * root /etc/init.d/lighttpd restart > > One could add a check to make sure that the downloaded crt is sensible. > > > * LetsEncrypt verifies your identity over plain HTTP (like every other > > commercial CA), so it's all security theater in the first place. > ... > > Ack. Regards, /Karl Hammar
