> > I have looked at various ways of doing this, but it isn't trivial and it > has absolutely nothing to do with the actual html and slapping in some > https links instead of http. The problem here is that we have external > volunteers running all our mirrors and we do geo-dns for www.php.net to > your geographically close mirror site. Putting the private key for > www.php.net on dozens of servers around the world we don't control is a > non-starter. >
I expected something like that. How does it work then that https://www.php.net and https://php.net can redirect to https://secure.php.net? I must be reaching a server with a valid certificate, otherwise that wouldn't work. If putting a private key for php.net doesn't work, then we should get rid of these mirrors ASAP IMO. > One way that I played with was to use letsencrypt and have each mirror > request an ssl cert for their local mirror, ca1.php.net, for example, and > include a CN alias for www.php.net in that request. Then we would run > domain a validation gateway/proxy on www.php.net which would validate > these > requests on behalf of the mirrors. But there are some security issues with > this approach that I haven't quite thought through. I would love to hear > suggestions for perhaps a simpler solution to this problem that doesn't > require pasting our private key all over the internet. > They can also just request them themselves, but only for their mirror domain. If you allow them to issue for www.php.net, you can as well just put the current private key there. Regards, Niklas
