On 29.02.2016 04:28, Sébastien Luttringer wrote:

I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with SHA-2 signatures.

I didn't actually know that worked. Interesting.

Should we move to Letsencrypt or do we still want to use the star certificate?

I don't see a reason why we should pay for certs. We don't need wildcard certs and with letsencrypt we are much more flexible regarding key sizes. For example gudrun currently runs with a 2K rsa key because we otherwise run into serious performance issues.

If you want to set it up, here's a script[1] I use for automatic renewal. It's nothing fancy, but it allows to easily select the remaining time which is not the case with letsencrypt-renewer. I prefer to have two months to detect and correct problems rather than just one.

[1] https://git.server-speed.net/users/flo/bin/tree/certrenew

We should also set up automatic renewal on gudrun, but that requires a firewall change. Thomas agreed that this is okay if we put (at least) flyspray into its own networking namespace.

Florian