On 29.02.2016 04:28, Sébastien Luttringer wrote:
I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures.
I didn't actually know that worked. Interesting.
Should we move to Letsencrypt or do we still want to use the star certificate?
I don't see a reason why we should pay for certs. We don't need wildcard certs and with letsencrypt we are much more flexible regarding key sizes. For example gudrun currently runs with a 2K rsa key because we otherwise run into serious performance issues. If you want to set it up, here's a script[1] I use for automatic renewal. It's nothing fancy, but it allows to easily select the remaining time which is not the case with letsencrypt-renewer. I prefer to have two months to detect and correct problems rather than just one. [1] https://git.server-speed.net/users/flo/bin/tree/certrenew We should also set up automatic renewal on gudrun, but that requires a firewall change. Thomas agreed that this is okay if we put (at least) flyspray into its own networking namespace. Florian