[arch-devops] Upgrade SSL CAs to SHA-2

Florian Pritz bluewind at xinu.at
Mon Feb 29 08:40:37 UTC 2016

On 29.02.2016 04:28, Sébastien Luttringer wrote:
> I upgraded the luna intermediate CA and RootCA to the new StartSSL certs with
> SHA-2 signatures.

I didn't actually know that worked. Interesting.

> Should we move to Letsencrypt or do we still want to use the star certificate?

I don't see a reason why we should pay for certs. We don't need wildcard
certs and with letsencrypt we are much more flexible regarding key
sizes. For example gudrun currently runs with a 2K rsa key because we
otherwise run into serious performance issues.

If you want to set it up, here's a script[1] I use for automatic
renewal. It's nothing fancy, but it allows to easily select the
remaining time which is not the case with letsencrypt-renewer. I prefer
to have two months to detect and correct problems rather than just one.

[1] https://git.server-speed.net/users/flo/bin/tree/certrenew

We should also set up automatic renewal on gudrun, but that requires a
firewall change. Thomas agreed that this is okay if we put (at least)
flyspray into its own networking namespace.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160229/3712dc19/attachment.asc>

More information about the arch-devops mailing list