You have to renew LE certificates every few months.
And out of a security-paranoia aspect I guess we want to do this renewal
So I agree it's not really practical.
Even after Oracle donates the nb.org domain I guess it will still remain active
(just to prevent domain grabbing). I assume it will simply redirect to
netbeans.apache.org. Or might even continue to serve as an enduser facing page.
In any case we will continue to have a certificate.
Now from the strictly practical point: Oracle still owns the domain. It was not
yet handed over, right? And Oracle still has the sole control over the hosts.
So I assume it will be the easiest if Oracle would renew the certificate for
this time. We would not be able to install any new cert anyway.
> Am 29.11.2016 um 17:54 schrieb Emilian Bold <emilian.b...@gmail.com>:
> When you mention sub-domains I assume you are thinking of *.apache.org.
> netbeans.org would be a separate domain where you could user Lets Encrypt
> without issues.
> On Mon, Nov 28, 2016 at 6:47 PM, Daniel Gruno <humbed...@apache.org> wrote:
>> On 11/28/2016 05:43 PM, Emilian Bold wrote:
>>> Yeah, with Let's Encrypt this is less of a hassle I assume.
>>> În lun., 28 nov. 2016 la 18:32 Bertrand Delacretaz <
>>> a scris:
>>>> On Mon, Nov 28, 2016 at 4:10 PM, Emilian Bold <e...@apache.org> wrote:
>>>>> ...perhaps Oracle will be kind enough to renew the certificate and
>>>> donate to
>>>>> ASF the private keys when all is done?...
>>>> Daniel as our infra mentor will be able to confirm but I suppose we
>>>> have all we need in house, probably using free certificates in which
>>>> case that wouldn't be needed. but thanks for the suggestion - let's
>>>> wait for Daniels' opinion.
>> Not free, but we can produce certs for domains we own, yes.
>> We don't use Lets Encrypt at the ASF, it's just not practical when you
>> have a distributed setup with some 400+ sub-domains (LE does not support
>> wildcard certs).