Closed henare closed 7 years ago
morph.io is deployed using Ansible so proved not to be a good candidate for Let's Encrypt. We're using SSLMate in the mean time.
apache
and have to use webroot
.Here's TVFY asking for certs:
./certbot-auto certonly --webroot --webroot-path /srv/www/theyvoteforyou.org.au/current/public --domain theyvoteforyou.org.au --domain www.theyvoteforyou.org.au --domain www.theyvoteforyou.org --domain theyvoteforyou.org
All the sites I can see are done. I've also added a cronjob to update the certs so that should also be sorted.
We still need to do Cuttlefish, this is important because it's used for links in emails we send out.
this is important because it's used for links in emails we send out
That's not true - I just double-checked and the cuttlefish email links are HTTP only. We should still get a certificate for cuttlefish.oaf.org.au.
I've also modified and simplified the SSL configuration on kedumba so all our sites should be reporting A quality in the Qualys test, e.g. https://www.ssllabs.com/ssltest/analyze.html?d=theyvoteforyou.org.au
The final site, Cuttlefish, is now done :tada:
It looks like StartSSL is cooked:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html https://support.apple.com/en-us/HT204132 https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
Firefox 51 will be released on 2017-01-24. We have already got certificates issued after October 21, 2016.
This means we should move everything to https://letsencrypt.org/ and be done with it.