ssl certs

[thatpixguy]

ssl certs are expiring. moving to letsencrypt

[thatpixguy]

Congratulations! You have successfully enabled https://bikeadl.org, https://www.toris.land, https://cryptoadl.org, https://members.hackadl.org,
https://www.cryptoadl.org, https://members.hackerspace-adelaide.org.au, https://toris.land, https://staging.hackerspace-adelaide.org.au, and
https://www.bikeadl.org

You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=bikeadl.orghttps://www.ssllabs.com/ssltest/analyze.html?d=www.toris.land https://www.ssllabs.com/ssltest/analyze.html?d=cryptoadl.org https://www.ssllabs.com/ssltest/analyze.html?d=members.hackadl.org https://www.ssllabs.com/ssltest/analyze.html?d=www.cryptoadl.org https://www.ssllabs.com/ssltest/analyze.html?d=members.hackerspace-adelaide.org.au https://www.ssllabs.com/ssltest/analyze.html?d=toris.land
https://www.ssllabs.com/ssltest/analyze.html?d=staging.hackerspace-adelaide.org.au https://www.ssllabs.com/ssltest/analyze.html?d=www.bikeadl.org

[thatpixguy]

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/bikeadl.org/fullchain.pem. Your cert will expire on 2017-06-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

[33d]

This will break the sign in devices for now; I'd like to implement poor man's authentication anyway.

[thatpixguy]

/etc/apache/sites-available is now a git repo

[thatpixguy]

@33d ssl is optional so http:// still works, but if you were cert pinning that will break because the cert will change every 90 days with letsencrypt

[33d]

It verifies the fingerprint, which I assume (without looking much into it) will change every few months. Arduino for esp8266 doesn't check certificates properly.

[thatpixguy]

i regenerated the cert with members.hackerspace-adelaide.org.au as the "common name" rather than "bikeadl.org" for all the sites. when bare hackerspace-adelaide.org.au is finally moved to slartibartfast, i'll make that the common name. it still lives in /etc/letsencrypt/live/bikeadl.org though.

[thatpixguy]

@33d ok so it's kind-of cert-pinning... hrmm