On 12/06/2015 06:41 AM, Georg Baum wrote:
> Christian Ridderström wrote:
>
>> Note: The LE client needs root access, e.g. to stop/start apache, and to
>> do other stuff in order to prove to the LE servers that we (i.e. the
>> server) really are the one controlling www.lyx.org and wiki.lyx.org. The
>> cron job then also needs root/sudo in order to update the client.
> Giving root access to the LE client is IMHO a no-go. It means you need to
> trust a relatively new piece of code which is controlled from outside (even
> worse). See also this (german) blog entry: http://blog.fefe.de/?ts=a89f4ed6
>
> It is a rant, but as usual for Fefe it contains some substantial reasoning
> as well.
>
> If Letsencrypt does not allow to download the certificate manually, so that
> it can be installed manually in a trusted environment, some other
> certificate provider should be used IMHO.
This does seem to be possible, but needs some investigation. See
https://community.letsencrypt.org/t/i-just-want-a-certificate/5331/10
for some of the relevant details. I intend to play around with this, as
I said in a
different email, on my own server. If I get it working there, I can do
it also on
lyx.org, with documentation about how it works. The one downside will be the
need to update the certificate manually every three months.
Richard
