Thanks. On 1/29/2019 11:19 PM, Dave Jones wrote: > On 1/29/19 1:35 PM, Kevin A. McGrail wrote: >> On 1/29/2019 2:25 PM, Dave Jones wrote: >>> On 1/29/19 10:20 AM, Bill Cole wrote: >>>> On 29 Jan 2019, at 10:25, Kevin A. McGrail wrote: >>> >>> So is this fixed on the sa-vm1.apache.org server or do I need to fix >>> it still? >>> >>> FYI, I found a better method for LE verification using the DNS-01 >>> method and a wrapper hook to ACME DNS: >>> >>> http://docs.cert-manager.io/en/master/reference/issuers/acme/dns01/acme-dns.html >>> >>> >>> >>> I setup the ACME DNS go server on auth.ena.net so I can host my own >>> _acme-challenge records via a CNAME. You can use the author's >>> auth.acme-dns.io server to get started. At home I set this up on my >>> pfSense firewall using the acme package. Now I have a wildcard cert >>> that I pull from my pfSense firewall to my raspi and push out to all >>> of my web servers so I have https everywhere and no annoying cert >>> warnings. >>> >>> ACME DNS allows for a server that is not reachable by the Internet to >>> be a central repository for all of your LE certs and automated >>> renewals. Then you push out the certs to all of your servers using >>> your favorite tool like Ansible, Puppet, Chef, Salt, shell script, etc. >>> >>> Dave >> >> This is NOT fixed. Bill and I were talking about it at work on a non-SA >> box and I thought it was interesting. >> > > I changed the challenge to use acme-dns and generated a wildcard cert > successfully which is live now. > > https://www.ssllabs.com/ssltest/analyze.html?d=ruleqa.spamassassin.org > > # cat /etc/letsencrypt/renewal/spamassassin.org.conf > [renewalparams] > pref_challs = dns-01, > manual_auth_hook = /etc/letsencrypt/acme-dns-auth.py > > > # head /etc/letsencrypt/acme-dns-auth.py > . > . > . > # URL to acme-dns instance > ACMEDNS_URL = "https://auth.acme-dns.io"; > > > Dave
-- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
