• Posts
  • RSS
  • ◂◂RSS
  • Contact

  • HTTPS Support

    April 13th, 2016
    https, tech  [html]
    This site is now available over HTTPS, with certificates from Let's Encrypt: https://www.jefftk.com.

    The certificates only last for three months, and I don't have automated renewal set up, so the https site might go down briefly every so often for the cert being out-of-date if I forget to renew. Once I sort this out I can redirect the http site to https, but I'm wary of doing it before then.

    The letsencrypt-auto command I'm using is:

    letsencrypt/letsencrypt-auto certonly        \
      --webroot                                  \
      -w /var/www/    -d www.jefftk.com          \
                      -d jefftk.com              \
      -w /var/www-fr/ -d www.freeraisins.com     \
                      -d freeraisins.com         \
      -w /var/www-lw/ -d www.lilywise.com        \
                      -d lilywise.com            \
      -w /var/www-tc/ -d www.trycontra.com       \
                      -d trycontra.com           \
      -w /var/www-aw/ -d www.annakaufmanwise.com \
                      -d annakaufmanwise.com     \
      --email jeff.t.kaufman@gmail.com           \
      --agree-tos
    

    This puts files on each of my domains under /.well-known/acme-challenge/, and tells the CA server about them. The CA server can verify that the files are actually reachable, through both the www and bare hostnames, and issue the certificate. I'm having it issue one SAN certificate for all of the sites, which makes certificate managemant simpler.

    Reading the docs now, it sounds like after running that command once it's sufficient to use letsencrypt-auto renew. It remembers the configuration, used to get the certs, and asks for new ones they're close to expiring. I've put letsencrypt-auto renew && service nginx restart in root's crontab, but I'm not confident yet that it will work.

    When I first set this up I had some mixed content issues and problems with links taking you to the http version of the site. Over the years various scripts had ended up generating absolute urls instead of relative ones [1] so I needed to through and remove all text references to http://www.jefftk.com.

    At this point I'm pretty happy, except for the renewal story.

    Update 2016-08-09: converted rss feed to give https links, as a first step in ramping up to full https.


    [1] This site started out under /~cbr/ on sccs, which would sometimes redirect people to /users/08/cbr/ depending on current configuration, which meant I couldn't use site-relative urls. I haven't been on sccs for years, but things stick around.

    Comment via: google plus, facebook

    Recent posts on blogs I like:

    Collections: Clothing, How Did They Make It? Part I: High Fiber

    This week we are starting the first of a four (?) part look at pre-modern textile production. As with our series on farming and iron, we are going to follow the sequence of production from the growing of fibers all the way to the finished object, with a f…

    via A Collection of Unmitigated Pedantry March 5, 2021

    Austerity is Inefficient

    Working on an emergency timetable for regional rail has made it clear how an environment of austerity requires tradeoffs that reduce efficiency. I already talked about how the Swiss electronics before concrete slogan is not about not spending money but ab…

    via Pedestrian Observations February 27, 2021

    The Troubling Ethics of Writing (A Speech from Ancient Sumer)

    (Translated from a transcript of an ancient Sumerian speech by Uruk's most well-respected Scriptological Ethicist) Writing is a profoundly dangerous technology: Access to writing was initially, and still remains, uneven. What's worse, the rich are m…

    via BLOG - Cullen O'Keefe February 15, 2021

    more     (via openring)


  • Posts
  • RSS
  • ◂◂RSS
  • Contact