/lobsters-ansible

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redo Let's Encrypt integration #2

Open
pushcx opened this Issue Oct 25, 2017 · 9 comments

Comments

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
6 participants
@pushcx @alanpost @qbit @arrdem @taoeffect @evaryont
@pushcx
Member

pushcx commented Oct 25, 2017
edited
Edited 2 times
  • @pushcx pushcx edited Apr 13, 2018 (most recent)
  • @pushcx pushcx edited Oct 26, 2017

  • Use acme-client for generating the ssl cert. It has a lot fewer moving parts.
  • www.lobsters.com should be a Subject Alternative name but isn't listed, leading to live SSL errors
  • email is no longer using TLS
  • Certificate is not automatically renewed

@pushcx pushcx referenced this issue Oct 25, 2017

Closed

Email TLS went missing #426

@pushcx pushcx added the bug label Oct 25, 2017

@alanpost

This comment has been minimized.

Show comment
Hide comment
@alanpost

alanpost Oct 26, 2017

Collaborator

email should now be using TLS, verified by inspecting headers from an @gmail account:

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lobste.rs header.s=prgmr-0 header.b=bypOhpX4;
spf=pass (google.com: domain of nobody@lobste.rs designates 71.19.148.33 as permitted sender) smtp.mailfrom=nobody@lobste.rs;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lobste.rs
Return-Path: nobody@lobste.rs
Received: from lobste.rs (lobste.rs. [71.19.148.33])
by mx.google.com with ESMTPS id a1si3400595plp.90.2017.10.26.13.17.10
for <[]@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 26 Oct 2017 13:17:10 -0700 (PDT)
Collaborator

alanpost commented Oct 26, 2017

email should now be using TLS, verified by inspecting headers from an @gmail account:

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lobste.rs header.s=prgmr-0 header.b=bypOhpX4;
spf=pass (google.com: domain of nobody@lobste.rs designates 71.19.148.33 as permitted sender) smtp.mailfrom=nobody@lobste.rs;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lobste.rs
Return-Path: nobody@lobste.rs
Received: from lobste.rs (lobste.rs. [71.19.148.33])
by mx.google.com with ESMTPS id a1si3400595plp.90.2017.10.26.13.17.10
for <[]@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 26 Oct 2017 13:17:10 -0700 (PDT)
@pushcx

This comment has been minimized.

Show comment
Hide comment
@pushcx

pushcx Oct 26, 2017

Member

Solid fix, thanks!
Member

pushcx commented Oct 26, 2017

Solid fix, thanks!

@pushcx pushcx closed this Oct 26, 2017

@pushcx

This comment has been minimized.

Show comment
Hide comment
@pushcx

pushcx Oct 26, 2017

Member

oops, of course that's only one part of this roundup bug, reopening
Member

pushcx commented Oct 26, 2017

oops, of course that's only one part of this roundup bug, reopening

@pushcx pushcx reopened this Oct 26, 2017

@qbit

This comment has been minimized.

Show comment
Hide comment
@qbit

qbit Nov 3, 2017

There is also an Ansible module for LE.

qbit commented Nov 3, 2017

There is also an Ansible module for LE.
@arrdem

This comment has been minimized.

Show comment
Hide comment
@arrdem

arrdem Nov 3, 2017

Commenting as a marker to look at this over the weekend. I've set up letsencrypt on my properties a couple times and as a lobsters reader of several years seems like the least I can do to try and pick this up

arrdem commented Nov 3, 2017

Commenting as a marker to look at this over the weekend. I've set up letsencrypt on my properties a couple times and as a lobsters reader of several years seems like the least I can do to try and pick this up
@taoeffect

This comment has been minimized.

Show comment
Hide comment
@taoeffect

taoeffect Nov 3, 2017

Why use acme-client instead of Let's Encrypt's certbot?

taoeffect commented Nov 3, 2017
edited
Edited 1 time
  • @taoeffect taoeffect edited Nov 3, 2017 (most recent)

Why use acme-client instead of Let's Encrypt's certbot?
@qbit

This comment has been minimized.

Show comment
Hide comment
@qbit

qbit Nov 3, 2017

@taoeffect acme-client focuses a lot more on security - doing priv-sep / chrooting (pledge on OpenBSD).

qbit commented Nov 3, 2017

@taoeffect acme-client focuses a lot more on security - doing priv-sep / chrooting (pledge on OpenBSD).
@pushcx

This comment has been minimized.

Show comment
Hide comment
@pushcx

pushcx Nov 3, 2017

Member

That's the primary reason. The other is that certbot is Python with a bunch of dependencies and it wants to automagically edit the nginx conf, which is more automation than I like to see in security-related areas.
Member

pushcx commented Nov 3, 2017

That's the primary reason. The other is that certbot is Python with a bunch of dependencies and it wants to automagically edit the nginx conf, which is more automation than I like to see in security-related areas.
@evaryont

This comment has been minimized.

Show comment
Hide comment
@evaryont

evaryont Nov 4, 2017

You can use certbot's webroot mode to have it only generate the challenge files and not edit the configuration. Though acme-client's use of pledge is awesome.

evaryont commented Nov 4, 2017

You can use certbot's webroot mode to have it only generate the challenge files and not edit the configuration. Though acme-client's use of pledge is awesome.

@pushcx pushcx referenced this issue May 17, 2018

Closed

Add HSTS header and preload HSTS #493

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment