<56D06376.2020709@alpinelinux.org>I'm leaning toward letsencrypt and 4096bit certs. They don't allow wildcard certs, but do allow multiple Alt subject Names. Startssl allows 5 alts (UCC) per cert free cert. We currently have 61 entries in our zone file - a few are exempt/junk (I don't think we need svn or blog anymore); but the rest are in use. To start simple, here's a proposal: Get a cert for: alpinelinux.org with Alt Subj Names of: bugs.alpinelinux.org forum.alpinelinux.org git.alpinelinux.org lists.alpinelinux.org patchwork.alpinelinux.org pkgs.alpinelinux.org wiki.alpinelinux.org www.alpinelinux.org That would encompass the bulk of the "consumer" side of the project. For now we leave the download and build servers bare http, and see how this first step works. ---
<CA+cSEmN_jDLGo4dCNt41MDAwxNDzGW+qES-jXdno3oBiLuwOgA@mail.gmail.com>
<56D06376.2020709@alpinelinux.org>
(view parent)
On 26 February 2016 at 15:38, Nathan Angelacos <nangel@alpinelinux.org> wrote: > I'm leaning toward letsencrypt and 4096bit certs. > I have been trying letsencrypt today together with Caddy webserver and it seems an interesting option. I have currently converted my local pound proxy to caddy and i am serving pkgs.alpinelinux.org from it. Although its Golang (we dont want any language wars on this list) it seems as a very interesting and simplified approach to an http server. I have added it to aports, so people can try it out. The package will probably need some love, but it should work. The nice thing about it is, it has the letsencrypt build in, and it will automatically create the certs for the sites defined and automatically forward all http traffic to https. Also the configuration is very easy to understand, and the certs get automatically renewed so no need for any scripts to run in the background. -carlo