Enhancement #676
closed
Use Let's Encrypt for more public services
100%
Description
Now that we have the DNS challenge method in place for SMTP we could make it more generic in a dedicated role and use it for other non-web services.
Also I think using a DNS update key per host would be more secure.
Updated by Marc Dequènes over 4 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
We have a role for the DNS challenge setting and run. It is now used for SMTP services.
Each host now had its own key.
It would be nice if we could force the LE nsupdate to use the _kage subdomain and use CNAMEs like we do for TLSA to avoid having to create a forest of subdomains.
Updated by Marc Dequènes over 4 years ago
- Status changed from In Progress to Blocked
- % Done changed from 20 to 30
Seems people are enthusiast about the PR, so let's wait before migrating more certs.
Updated by Marc Dequènes over 4 years ago
- Status changed from Blocked to In Progress
- % Done changed from 30 to 40
I backported recent LE packages and applied the patch; only a minor problem affecting the tests was worked around (see message in the PR).
I tested these packages for smtp.hq.duckcorp.org successfully, and a web cert too for regression,and then decided to go along.
The packages are now uploaded in our repo and I was able to tests other renewals with success.
Updated by Marc Dequènes about 4 years ago
- Status changed from In Progress to Resolved
- % Done changed from 40 to 100
All user-facing services now use Let's Encrypt.