henare
commented
7 years ago morph.io is deployed using Ansible so proved not to be a good candidate for Let's Encrypt. We're using SSLMate in the mean time.
Closed henare closed 7 years ago
henare
commented
7 years ago morph.io is deployed using Ansible so proved not to be a good candidate for Let's Encrypt. We're using SSLMate in the mean time.
henare
commented
7 years ago apache and have to use webroot.Here's TVFY asking for certs:
./certbot-auto certonly --webroot --webroot-path /srv/www/theyvoteforyou.org.au/current/public --domain theyvoteforyou.org.au --domain www.theyvoteforyou.org.au --domain www.theyvoteforyou.org --domain theyvoteforyou.org
henare
commented
7 years ago All the sites I can see are done. I've also added a cronjob to update the certs so that should also be sorted.
We still need to do Cuttlefish, this is important because it's used for links in emails we send out.
henare
commented
7 years ago this is important because it's used for links in emails we send out
That's not true - I just double-checked and the cuttlefish email links are HTTP only. We should still get a certificate for cuttlefish.oaf.org.au.
henare
commented
7 years ago I've also modified and simplified the SSL configuration on kedumba so all our sites should be reporting A quality in the Qualys test, e.g. https://www.ssllabs.com/ssltest/analyze.html?d=theyvoteforyou.org.au
henare
commented
7 years ago The final site, Cuttlefish, is now done :tada:
It looks like StartSSL is cooked:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html https://support.apple.com/en-us/HT204132 https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
Firefox 51 will be released on 2017-01-24. We have already got certificates issued after October 21, 2016.
This means we should move everything to https://letsencrypt.org/ and be done with it.