Ticket #875 (new maintenance)

Opened 14 months ago

Last modified 14 months ago

Free HTTPS certificates from Let's Encrypt

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ade, sam, paul, annesley Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.4

Description

From mid November 2015 Let's Encrypt should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the WordPress sites on ParrotServer don't have certs due to the cost, see ticket:540.

The Let's Encrypt code is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old.

We should consider if we want to use Let's Encrypt and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16.

  1. PuffinServer -- are we still going to be running PuffinServer in January 2016? Is there any chance that we might be able to consider the suggestions in ticket:754#comment:61? I'm not sure if I want to spend time trying to get Let's Encrypt working with a old version of BOA, up to date versions of BOA might support it out of the box.
  2. PenguinServer -- this site hosts a lot of sites, see the listing, automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time.
  3. ParrotServer -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the Webarch Secure Hosting scripts and this include support for fail2ban for WordPress and phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of Let's Encrypt certs for sites.

What do people think?

Change History

comment:1 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.4
  • Total Hours changed from 0.0 to 0.4

comment:2 Changed 14 months ago by paul

Sounds good :)

On Mon, Oct 5, 2015 at 11:48 AM, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #875: Free HTTPS certificates from Let's Encrypt
> -------------------------------------+-------------------------------------
>                  Reporter:  chris    |                Owner:  chris
>                      Type:           |               Status:  new
>   maintenance                        |            Milestone:  Maintenance
>                  Priority:  major    |             Keywords:
>                 Component:  Live     |  Add Hours to Ticket:  0.4
>   server                             |          Total Hours:  0
> Estimated Number of Hours:  0        |
>                 Billable?:  1        |
> -------------------------------------+-------------------------------------
>  From mid November 2015 [https://www.letsencrypt.org/ Let's Encrypt]
> should
>  be live, providing free SSL/TLS certificates. Currently the TN pays for a
>  Gandi wild card cert, costing £130.50 a year, in addition most the
>  WordPress sites on ParrotServer don't have certs due to the cost, see
>  ticket:540.
>
>  The [https://github.com/letsencrypt/letsencrypt Let's Encrypt code] is
>  designed to be set up to run automatically -- certs are only valid for 90
>  days and the automatic renewal process runs when the cert is 60 days old.
>
>  We should consider if we want to use [https://www.letsencrypt.org/ Let's
>  Encrypt] and what things would need to be put in place to use it, the wild
>  card cert is due to expire on 22/01/16.
>
>  1. PuffinServer -- are we still going to be running PuffinServer in
>  January 2016? Is there any chance that we might be able to consider the
>  suggestions in ticket:754#comment:61? I'm not sure if I want to spend time
>  trying to get Let's Encrypt working with [ticket:872 a old version of
>  BOA], up to date versions of BOA might
>  [https://github.com/omega8cc/boa/issues/500 support it out of the box].
>  2. PenguinServer -- this site hosts a lot of sites, see
>  [https://penguin.transitionnetwork.org/ the listing], automating Let's
>  Encrypt would probably be a hour or two of work, it might makes sense to
>  upgrade it to Debian Jessie at the same time.
>  3. ParrotServer -- I suggest we rebuild this server from scratch, this
>  would enable it to have the latest version of the
>  [https://docs.webarch.net/wiki/Webarch_Secure_Hosting Webarch Secure
>  Hosting scripts] and this include support for fail2ban for WordPress and
>  phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of
>  Let's Encrypt certs for sites.
>
>  What do people think?
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/875>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>



-- 
Paul Booker
Drupal Support for Websites and Linux Servers
Website: http://www.paulbooker.co.uk
Tel: +44 01922 861636

Note: See TracTickets for help on using tickets.