Just a quick note to wish you, dear reader, a very Happy New Year. As I enter my 11th year of blogging, I hope I will be able to make a little bit more time in 2016 for more regular posts!
Also, I’m pleased to note that thanks to the wonderful folks at the Let’s Encrypt project, the whole of my site is now served over HTTPS. Given my more recent security focus, that was something that was long overdue. I’m very grateful to the Let’s Encrypt project sponsors, as the project offers a solution that provides equal, if not better, verification that traditional Domain Validation TLS certificates, at the cost of precisely zero.
Here’s to 2016!
Very curious to hear what your experience with LE was. Smooth? Easy? Any gotchas?
My configuration, with which I am sure you are rather familiar already (as it is derived from vpmframe), is complex enough that the fully automatic configuration isn’t an option. Another system with a simpler configuration also wasn’t happy with the fully automated config because (I think) CentOS 7 wasn’t supported.
But, there is a ‘certonly’ option that, combined with a very brief moment of downtime while the LE webserver runs on port 80 to prove your ownership of the domain, simply drops the cert in /etc/letsencrypt. I then just configured the Pound HTTPS terminator to point at the cert in there.
The caveat is that without the fully automated process in operation, I must do this again before the certificate’s expiry, which is only a few months away. Not a big deal, as long as you make a calendar event and enough advance reminders!