You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When we switched over to using acme.sh for letsencrypt, we kept as many things as possible the same as they were before.
However, acme.sh is able to do more of the heavy lifting than we are using it for.
I propose that we remove our own handling of ssl renewal, in favour of depending upon acme.sh to do this itself.
The rationale here, is that acme.sh is a pretty well used and understood script, with great documentation. It stores all certificates in a standard, detectable place, and will automatically renew any certificates it knows about.
This means that when users have more advanced use cases, such as needing to manage multiple certificates, ghost cli won't need to step in, but instead we can point users at acme for all of their ssl needs.
E.g. if you have multiple custom domains, and need to setup SSL redirects from secondary domains to the canonical domain, it will be possible to do so using acme.sh
This will also get rid of the crontab library and close #348 automatically.
This change should result in less code overall, and more interoperability/compatibility between ghost-cli and acme.
In addition, I think it may be a good idea to symlink the fullchain and private keyfiles into the ghost/system folder, rather than copying them. Not sure what the implications might be here, but this will make it easier to understand where those files come from.
Discussion resulted in us changing this to linking direct to ~/.acme.sh/
The text was updated successfully, but these errors were encountered:
It is worth noting, this will break ssl renewals for existing installs. We will do our best to document an extra command to run to fix it in as many places as possible to mitigate this.
When we switched over to using acme.sh for letsencrypt, we kept as many things as possible the same as they were before.
However, acme.sh is able to do more of the heavy lifting than we are using it for.
I propose that we remove our own handling of ssl renewal, in favour of depending upon acme.sh to do this itself.
The rationale here, is that acme.sh is a pretty well used and understood script, with great documentation. It stores all certificates in a standard, detectable place, and will automatically renew any certificates it knows about.
This means that when users have more advanced use cases, such as needing to manage multiple certificates, ghost cli won't need to step in, but instead we can point users at acme for all of their ssl needs.
E.g. if you have multiple custom domains, and need to setup SSL redirects from secondary domains to the canonical domain, it will be possible to do so using acme.sh
This will also get rid of the crontab library and close #348 automatically.
This change should result in less code overall, and more interoperability/compatibility between ghost-cli and acme.
In addition, I think it may be a good idea to symlink the fullchain and private keyfiles into the ghost/system folder, rather than copying them. Not sure what the implications might be here, but this will make it easier to understand where those files come from.Discussion resulted in us changing this to linking direct to
~/.acme.sh/
The text was updated successfully, but these errors were encountered: