Commit 918abcd7 authored by Daniel Quinn's avatar Daniel Quinn 🍁
Browse files

Add note about LetsEncrypt and wildcard certs

parent 617823e3
......@@ -79,9 +79,16 @@ As it modifies server configurations and restarts Nginx, `kitchen` must run as
### SSL
We manage all the SSL stuff with LetsEncrypt, which uses notoriously
short-lived certificates. Handily, the `certbot` package that we install as
part of the `install` script includes a `certbot.timer` file that Systemd will
use to regularly renew the wildcard certificate generated during installation.
short-lived certificates. Unfortunately, since we're using a *wildcard
certificate*, the typical method of automatically updating your cert isn't
available without [considerable effort](https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks).
In the absence of that effort (say for example you're using a DNS provider
that doesn't have an API for changes), then you'll have to run this command
every 3 months or so. Just remember to replace `${PARENT_DOMAIN}` with
whatever you specified above:
certbot certonly --manual --preferred-challenges=dns -d "${PARENT_DOMAIN},*.${PARENT_DOMAIN}"
### Git
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment