On 16-09-28 04:55 AM, li...@lazygranch.com wrote: > I didn't like the Let's Encrypt 90 day deal with mysterious upload to your > server.
While I do not like to grant root access to a third-party controlled process on my server, there are good alternatives and the only things that I upload to my server are the resulting certificates, like with any CA. With a little bit of scripting it can all be automated. My current solution is still sketchy and works for me (single Digital Ocean account with one server to be updated), but it can scale easily and is built on the shoulders of giants that make sure more than just Digital Ocean is supported: https://github.com/lukas2511/dehydrated My favorite form of verification is the DNS challenge, because it does not disrupt the server's operation, except for a quick restart to recognize the new certificate. Disclaimer: I am a lawyer and only a tinkerer when it comes to IT. Please point out the deficiencies in my solution and help me improve. Every 90 days, at every iteration, my process becomes better and has now boiled down to check if there has been changes and run some commands/scripts that do not take more than a few minutes of my time. cd ~/src/letsencrypt wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem cd dehydrated git pull cd ../certificates_ACCOUNT_X export LEXICON_DIGITALOCEAN_TOKEN=<the_DO_account_token> PROVIDER=digitalocean ../dehydrated/dehydrated --cron --hook letsencrypt.default.sh --challenge dns-01 -x # Do other things while the certificates are being generated ../automate.sh ssh SERVER sudo ./deploy.sh sudo service nginx restart sudo service postfix restart The above assumes that you have configured dehydrated and your DNS hosting account. automate.sh is something like this: USER='admin' SERVER='server_entry_in_.ssh/config' DESTINATION='/home/admin/' echo '#!/usr/bin/env bash' > deploy.sh for DOMAIN in `ls certs`; do echo $DOMAIN cd certs/$DOMAIN cat privkey.pem cert.pem ../../lets-encrypt-x3-cross-signed.pem > $DOMAIN.pem rsync -avz $DOMAIN.pem $USER@$SERVER:$DESTINATION echo "chmod 400 $DESTINATION/$DOMAIN.pem" >> ../../deploy.sh echo "chown root:root $DESTINATION/$DOMAIN.pem" >> ../../deploy.sh # domains that are used for mail+web if [ "$DOMAIN" == "mxserver.example.com" ]; then echo "mv $DESTINATION/$DOMAIN.pem /etc/postfix/ssl/" >> ../../deploy.sh # domains that are used for web only else echo "mv $DESTINATION/$DOMAIN.pem /etc/nginx/ssl/" >> ../../deploy.sh fi cd ../../ done chmod +x deploy.sh rsync -avz deploy.sh $USER@$SERVER:$DESTINATION I am only progressing very slowly on this, tweaking it every 90 days, because it is already at a point where it does not bother me. The Let's Encrypt certificates are great. They are recognized by my Android devices when syncing CardDAV/CalDAV; Postfix seems to like them and so does Dovecot. The short life span is actually a neat feature that keeps the ecosystem safe and revocation lists shorter. Yuv
