TLS certs from Let's Encrypt

[cben]

Retroactive: I already deployed the new certs! Need to organize and back up the work. (mathdown.com cert expired on Feb 12 - I deployed half day AFTER it expired :-(; today deployed mathdown.net certs in time before Feb 15 expiration. 87 days to next expiration.)

I've switched from StartSSL to Let's Encrypt. Because they recently became available and are awesome, because renewal is easy to automate. Plus they can give 1 cert for all domains (best for heroku). Generally followed http://blog.thesparktree.com/post/138999997429/generating-intranet-and-private-network-ssl

• [x] Send fix to lexicon (or letsencrypt.sh?) to create _acme-challenge.www.mathdown.net, not _acme-challenge.www.mathdown.net.mathdown.net.
• [x] Fix aborted attempt to install lexicon into a virtualenv.
• [x] Document.
• [x] Test deploying also to Heroku, then turn off expensive heroku SSL Addon until I need them.
• [ ] Encrypt & backup privkey at rest.

Now that I've used Lexicon (DNSimple and friends abstraction lib), I should revisit infrastructure-as-code (#110) goal. Terraform is best in principle to cover everything but I suspect I'll stick to Lexicon and/or DNSimple's auto-deploy from github. Git push for DNS + git push to PaaS more or less covers it?

[cben]

• [x] delete tls-certs-startcom/ dir.

[cben]

Cert expired yesterday :frowning: Getting new one, have some issues...

• [x] Schedule notification — DONE on https://certificatemonitor.org/
• [ ] Freeze working deps in a way that's more likely to still work later.

[cben]

• [ ] Look into OCSP stapling, after working enable letsenrypt.sh --ocsp "Sets option in CSR indicating OCSP stapling to be mandatory".
• [ ] When confident of smooth renewal, enable HSTS.

[cben]

Deployed new cert valid till Oct 6 2016.

[cben]

This is long done, closing.

• [x] Subscribed to Certificate Transparancy notifications at https://developers.facebook.com/tools/ct/