[arch-devops] Upgrade SSL CAs to SHA-2
Hello,
I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures.
The *.archlinux.org certs is still using SHA-1 signature (so no green bar) which expire this April.
Should we move to Letsencrypt or do we still want to use the star certificate?
Cheers,
On 29.02.2016 04:28, Sébastien Luttringer wrote:
I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures.
I didn't actually know that worked. Interesting.
Should we move to Letsencrypt or do we still want to use the star certificate?
I don't see a reason why we should pay for certs. We don't need wildcard certs and with letsencrypt we are much more flexible regarding key sizes. For example gudrun currently runs with a 2K rsa key because we otherwise run into serious performance issues.
If you want to set it up, here's a script[1] I use for automatic renewal. It's nothing fancy, but it allows to easily select the remaining time which is not the case with letsencrypt-renewer. I prefer to have two months to detect and correct problems rather than just one.
[1] https://git.server-speed.net/users/flo/bin/tree/certrenew
We should also set up automatic renewal on gudrun, but that requires a firewall change. Thomas agreed that this is okay if we put (at least) flyspray into its own networking namespace.
Florian
participants (2)
-
Florian Pritz
-
Sébastien Luttringer