Re: [GTALUG] SSL Certs for both web and email servers
And the other thing to remember: when the certificate renews, restart/reload your services, to use the new certificate(s). I use puppet to pass certificates around, and trigger an apache reload when needed, similarly with dovecot and postfix for mail. John --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
Re: [GTALUG] SSL Certs for both web and email servers
On Thu, 3 Dec 2020 at 14:14, William Witteman via talk wrote: > > Thanks for your help! > > I have not yet set the redirects from http -> https, but the result > was achieved *much* more easily than I would have expected. > > I have an existing cert that I set up as a standalone, which dovecot > has been using happily for a few years. I did not know that I could > expand what that cert covers, but the good people at EFF have made > this very easy. > > I used this command and it Just Worked(TM): > > sudo certbot -d > comma,separated,list,of,each,domain,and,subdomain,including,the,ones,already,in,place > --expand > > And after a moment, all of my domains and subdomains are under the > single umbrella that I already had. > > Note that the above list includes three different domains and a half > dozen subdomains, all of which seem to just work now. > > Thanks again! Heh - you top-posted, and I'm too lazy to fix the sequencing so now we have mixed post order ... oh well! If you're new to 'certbot' I recommend that you watch very closely as you approach the three month mark. Let's Encrypt's certs are only for three months. But if you've installed it on Debian, you should also find that you have a twice-daily cron job that attempts to renew all issued certificates automatically. It will fail silently up until the two month mark (don't quote me on this, I think it's two months), and then just as quietly renew and replace the certs when it does. It's a lovely system, but you'll want to check maybe two weeks before they need renewal. If they haven't renewed automatically you'll need to take a closer look at your system(s) to see what went wrong. I wrote a shell script that takes a list of domain names as input, then grabs the certificate for each domain and lists the names and expiries for each. It uses the 'openssl' command to extract the expiry date, and a bit of date magic to determine if any are expiring in less than a month and then highlights those. I run it weekly against my business's sites (that list is programmatically generated too), and it's saved my ass a few times ... > On Tue, 1 Dec 2020 at 06:37, ac via talk wrote: > > > > On Tue, 1 Dec 2020 03:34:06 -0500 > > John Sellens via talk wrote: > > > On Tue, 2020/12/01 08:16:49AM +0200, ac via talk > > > wrote: | > I have three domains and a small but invariant number of > > > subdomains | > that I want to encrypt - should I try to pull them all > > > under one SSL | > cert, or do one for each domain, or one for every > > > subdomain? I don't | > need a wildcard, but I would like something > > > relatively painless if | > possible. > > > | > > > | yes, in your case, and for painless and easy, just use the domain > > > name | and one cert. so, instead of mail.example.com and > > > www.example.com | - just use example.com. > > > > > > I think that might cause client complaints in some cases. > > > > > imho i do not think with three domains this will be an issue. > > > > what is the point of having mail.example.com if the IP number for > > mail.example.com is the same as example.com ? the same can be asked > > about imap.example.com and pop.example.com etc. > > > > This is just wasteful and increases the risk of issues, ads complexity > > and does not serve any "real" technical, logical or functional purpose. > > > > The reason why mail.example.com used to be prevalent - pre container - > > was because mail.example.com - was at a different IP number / different > > network > > even... > > > > And, actually even if you had 100 domains on one server: reducing > > complexity, reducing the amount of DNS lookups and reducing pebcac, > > reducing comms, reducing traffic, reducing load and reducing wastage - > > means: > > > > You are making it easier for clients > > > > And : You are even saving cycles, saving electricity, saving network > > traffic and TOOOTEROOO: > > > > Saving the planet > > > > in case you did not know: In 2020 - 2030 - we will still get the vast > > majority of our power from non sustainable fossil sources. so, we > > should all try to be less wasteful, mind you, now with Alaska being > > strip mined and auction sold, the planet has a lot more to waste. > > > > > I think letsencrypt now provides wildcard certifications, but you > > > can use mutliple -d options when creating or updating a certificate > > > e.g. > > > > > > certbot certonly \ > > > --non-interactive \ > > > --expand \ > > > --webroot \ > > > -w /var/www/html/letsencrypt \ > > > --cert-name www.example.com \ > > > -d example.com \ > > > -d mail.example.com \ > > > -d blog.example.com > > > And then the one certificate is valid for all those names. > > > > > a small number of invariant sub domains usually means > > www.example.com, pop.example.com, mail.example.com, > > imap.example.com and in this case - x3 domains > > > > but, one could also wildcard (*) just simply -d *.example.com and add > > _acme-challenge TXT record to
[GTALUG] Request experts developers and/or DevOps wanted to help our school paperwork
Hi everyone, This is a community support request. I've been part of this group for 20 years. I'm working for a non-profit supporting talent and innovation in the IT sector. As part of our efforts to help Canadians and Canadian businesses sustain their living through COVID, and while the ICT sector is searching for new talent to hire, ICTC is launching a novel training online. We will have three streams: software development, data science, and DevOps. For the government paperwork, we require three industry experts (for each one of these streams) to provide us with an assessment. The process should not be too onerous and I can share the questions in advance. The Information and Communications Technology Council (ICTC) is a not-for-profit national centre of expertise for the digital economy. Through trusted research, innovative talent solutions, and practical policy advice, ICTC fosters innovative and globally competitive Canadian industries empowered by a talented and diverse digital workforce. We've been out there for 25 years and we provide many programs for talent of all ages and origins, helping succeed in the digital economy. Examples of programs we have delivered include Arrival to FinTech. We're helping George Brown College launch a new stream for its Blockchain developer program and we're coaching the first cohort of 25 newcomers. We're also in the midst of delivering our Youth Dividend program, which includes hard skills training and a subsidized 7-month placement in enterprise. We're helping grow the talent pipeline. Any of your businesses can pretend to up to 75% in wage subsidies to hire a student. Conditions and information available at https://wil.digital Feel free to contact me here and we can take the conversation offline, unless there are general questions that could benefit this group. Thanks for your attention Marc --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
Re: [GTALUG] SSL Certs for both web and email servers
Thanks for your help! I have not yet set the redirects from http -> https, but the result was achieved *much* more easily than I would have expected. I have an existing cert that I set up as a standalone, which dovecot has been using happily for a few years. I did not know that I could expand what that cert covers, but the good people at EFF have made this very easy. I used this command and it Just Worked(TM): sudo certbot -d comma,separated,list,of,each,domain,and,subdomain,including,the,ones,already,in,place --expand And after a moment, all of my domains and subdomains are under the single umbrella that I already had. Note that the above list includes three different domains and a half dozen subdomains, all of which seem to just work now. Thanks again! On Tue, 1 Dec 2020 at 06:37, ac via talk wrote: > > On Tue, 1 Dec 2020 03:34:06 -0500 > John Sellens via talk wrote: > > On Tue, 2020/12/01 08:16:49AM +0200, ac via talk > > wrote: | > I have three domains and a small but invariant number of > > subdomains | > that I want to encrypt - should I try to pull them all > > under one SSL | > cert, or do one for each domain, or one for every > > subdomain? I don't | > need a wildcard, but I would like something > > relatively painless if | > possible. > > | > > | yes, in your case, and for painless and easy, just use the domain > > name | and one cert. so, instead of mail.example.com and > > www.example.com | - just use example.com. > > > > I think that might cause client complaints in some cases. > > > imho i do not think with three domains this will be an issue. > > what is the point of having mail.example.com if the IP number for > mail.example.com is the same as example.com ? the same can be asked > about imap.example.com and pop.example.com etc. > > This is just wasteful and increases the risk of issues, ads complexity > and does not serve any "real" technical, logical or functional purpose. > > The reason why mail.example.com used to be prevalent - pre container - > was because mail.example.com - was at a different IP number / different > network > even... > > And, actually even if you had 100 domains on one server: reducing > complexity, reducing the amount of DNS lookups and reducing pebcac, > reducing comms, reducing traffic, reducing load and reducing wastage - > means: > > You are making it easier for clients > > And : You are even saving cycles, saving electricity, saving network > traffic and TOOOTEROOO: > > Saving the planet > > in case you did not know: In 2020 - 2030 - we will still get the vast > majority of our power from non sustainable fossil sources. so, we > should all try to be less wasteful, mind you, now with Alaska being > strip mined and auction sold, the planet has a lot more to waste. > > > I think letsencrypt now provides wildcard certifications, but you > > can use mutliple -d options when creating or updating a certificate > > e.g. > > > > certbot certonly \ > > --non-interactive \ > > --expand \ > > --webroot \ > > -w /var/www/html/letsencrypt \ > > --cert-name www.example.com \ > > -d example.com \ > > -d mail.example.com \ > > -d blog.example.com > > And then the one certificate is valid for all those names. > > > a small number of invariant sub domains usually means > www.example.com, pop.example.com, mail.example.com, > imap.example.com and in this case - x3 domains > > but, one could also wildcard (*) just simply -d *.example.com and add > _acme-challenge TXT record to example.com dns zone > (auth: preferred-challenges=dns - when you apply for cert) > > depending on your resources and very importantly, your dns servers > timeouts, rate_limits and other issues, there could be pain/risk with > multiple/many -d every 90 days > > > Hope that helps - letsencrypt is really remarkably convenient. > > > indeed it is. > > > John > > --- > > Post to this mailing list talk@gtalug.org > > Unsubscribe from this mailing list > > https://gtalug.org/mailman/listinfo/talk > > --- > Post to this mailing list talk@gtalug.org > Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
