[arch-devops] Upgrade SSL CAs to SHA-2
Hello, I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures. The *.archlinux.org certs is still using SHA-1 signature (so no green bar) which expire this April. Should we move to Letsencrypt or do we still want to use the star certificate? Cheers, -- Sébastien "Seblu" Luttringer https://seblu.net | Twitter: @seblu42 GPG: 0x2072D77A
On 29.02.2016 04:28, Sébastien Luttringer wrote:
I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures.
I didn't actually know that worked. Interesting.
Should we move to Letsencrypt or do we still want to use the star certificate?
I don't see a reason why we should pay for certs. We don't need wildcard certs and with letsencrypt we are much more flexible regarding key sizes. For example gudrun currently runs with a 2K rsa key because we otherwise run into serious performance issues. If you want to set it up, here's a script[1] I use for automatic renewal. It's nothing fancy, but it allows to easily select the remaining time which is not the case with letsencrypt-renewer. I prefer to have two months to detect and correct problems rather than just one. [1] https://git.server-speed.net/users/flo/bin/tree/certrenew We should also set up automatic renewal on gudrun, but that requires a firewall change. Thomas agreed that this is okay if we put (at least) flyspray into its own networking namespace. Florian
participants (2)
-
Florian Pritz
-
Sébastien Luttringer