[arch-devops] Upgrade SSL CAs to SHA-2
bluewind at xinu.at
Mon Feb 29 08:40:37 UTC 2016
On 29.02.2016 04:28, Sébastien Luttringer wrote:
> I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with
> SHA-2 signatures.
I didn't actually know that worked. Interesting.
> Should we move to Letsencrypt or do we still want to use the star certificate?
I don't see a reason why we should pay for certs. We don't need wildcard
certs and with letsencrypt we are much more flexible regarding key
sizes. For example gudrun currently runs with a 2K rsa key because we
otherwise run into serious performance issues.
If you want to set it up, here's a script I use for automatic
renewal. It's nothing fancy, but it allows to easily select the
remaining time which is not the case with letsencrypt-renewer. I prefer
to have two months to detect and correct problems rather than just one.
We should also set up automatic renewal on gudrun, but that requires a
firewall change. Thomas agreed that this is okay if we put (at least)
flyspray into its own networking namespace.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-devops