damn there's been lots of netsplits and no talk :)
let's encrypt is in limited beta
err entering on dec 3rd
i still gont get the 90 day expiry part... seems kind of annoying
and no... im not running their shitty cert rotation script on my boxes
Shorter lifetime means smaller attack/compromise surface
(Google's been running 30-90 day certs for their services for awhile)
also ensures that your cert handling is up to snuff
e.g. an automated, simple process in place to swap them out
(I make no argument for or against their rotation script)
which is good when it comes to handling certificates securely
^ Or it's bad because you hack something insecure together :p
tbh, whenever certs are 2 or 3 years expiry it seems people are more liekly to not keep them up to date
err to hit a problem for a few days with being out of date
esp. with smaller sites.  if it's 3 months, then people kind of have to "fix" the way they do certs.
I don't get what's so hard about putting the cert expiry on your calendar when it's issued, and poof it won't surprise you
heh one of my smokeping's has an out of date cert.
also there's the mismatch between domain expiry and cert expiry
10 days.
chris: i have a ssl cert through namecheap with my domain, not that i'm using it..
shorter cert expiry reduces the time where somebody has a valid certificate for a domain they do not own
cos i'm just using cloudflare..
Another good point, chrismsnz
thats fine if you dont mind cloudfare mitm all your traffic :)
it seemed like a good idea at the time.
there's nothing critical on it really
i mostly just post screenshots and stuff to it
changing the cert every 90 days != changing the private key every 90 days
but cloudflare's hit rates suck
i dont see how its any more secure
so i'm actually planning to ditch it
i'm actually way more concerned about people using *.domain certs  everywhere across multiple machines
"time where somebody has a valid certificate for a domain they do not own"... if letsencrypt were the only cert provider this would be true. but they're not
for some reason the name of such is escaping me, wildcard came to mind but that sounds wrong.
mercutio: *.domain is a wildcard, yes
but yeah having a wide attack vector seems messier to me
there's also a premium on wildcard certs, but i think if certs can just be cheap/affordable/free then having lots of non wildcard certs /usually/ makes sense
(Easier for me to have individual Startcom SSL certs for various services than pay for a single wildcard, for instance.)
yeh they're expensive.
And free is just so free...
if you have a proxy or constant cdn or such wildcard is just as insecure
i kind of hoped that with virtualisation would come more "objects" where one bit of work is done in one place, and another in another, connected together.
but currently, it seems that mostly consolidation/cost cutting has happened.
there's cool projects with xen and so forth to make an OS image that's a container of sorts that is compiled to only do one function - like you could have a DNS OS or such.
at least php is moving to php-fpm etc these days creating some isolation
I have a test domain up and working with letsencrypt
plett: cool
plett: any thoughts on it?
The 90 day thing isn't the annoying bit for me - that side is solvable with automation
The bit that annoys me is that they only considered web servers when designing it. The only way to get a cert at the moment is to run their python client which can receive traffic on port 80 or 443
You can either run a standalone client which listens on those ports itself and therefore means taking your web server offline, or there are hooks into Apache (and almost nginx) which reconfigure your web server(!) to have a new vhost which can serve the right responses
erk
why not just do something like google's ad thing does
where you stick a special thing in the html
That I don't know
I'm sure more options will come over time, but neither of the current options works for me
I wouldn't want to take my webserver offline and run their client code as root in a cron job
And the thought of them trying to add a virtualhost to my apache config scares me too
i just upgraded to nginx 1.9.6 last night
on one host.  they have http2 :)
I'm using it as a learning exercise, and my setup is slightly over-engineered. I've got haproxy in a docker container listening on 80 and 443 and doing ssl termination and forwarding everything in to an nginx container which currently just serves some plain text
I think I should be able to use haproxy to filter the letsencrypt authentication traffic off to somewhere else while still serving all the normal traffic
I'm also using it as an opportunity to use the brand new docker-compose networking support
It will probably also need etcd and confd to manage the haproxy config. I've not used them before