Enhancement #676
closed
Use Let's Encrypt for more public services
Added by Marc Dequènes about 5 years ago.
Updated over 4 years ago.
Category:
Service :: IS / AAA / PKI
Description
Now that we have the DNS challenge method in place for SMTP we could make it more generic in a dedicated role and use it for other non-web services.
Also I think using a DNS update key per host would be more secure.
- Status changed from New to In Progress
- % Done changed from 0 to 20
We have a role for the DNS challenge setting and run. It is now used for SMTP services.
Each host now had its own key.
It would be nice if we could force the LE nsupdate to use the _kage subdomain and use CNAMEs like we do for TLSA to avoid having to create a forest of subdomains.
- Status changed from In Progress to Blocked
- % Done changed from 20 to 30
Using CNAMES is coming:
Seems people are enthusiast about the PR, so let's wait before migrating more certs.
- Status changed from Blocked to In Progress
- % Done changed from 30 to 40
I backported recent LE packages and applied the patch; only a minor problem affecting the tests was worked around (see message in the PR).
I tested these packages for smtp.hq.duckcorp.org successfully, and a web cert too for regression,and then decided to go along.
The packages are now uploaded in our repo and I was able to tests other renewals with success.
- Status changed from In Progress to Resolved
- % Done changed from 40 to 100
All user-facing services now use Let's Encrypt.
Also available in: Atom
PDF
Updated by