On Tue, Mar 29, 2016 at 05:45:44PM +0200, Daniel Beyer wrote:
> Hi Mattia,
>
> Am Montag, den 28.03.2016, 21:44 +0000 schrieb Mattia Rizzolo:
> > Hi Daniel :)
> >
> > On Sun, Mar 27, 2016 at 01:01:18PM +0200, Daniel Beyer wrote:
> > (...)
> >
> > I think your apache snippet is cool, actually.
> > I improved it a bit the thing, by moving it to be a config snippet,
> > instead of being treated as a virtualhost, and by using dh_apache2
> > instead of manually try (and fail, e.g. you forgot to remove the thing
> > when removing the package) to get it right :)
> >
>
> The infrastructure I needed letsencrypt.sh for enables the proxy module
> in a virtualhost, rather doing it the debian-"mods-enabled"-way. That's
> why it was a virtualhost (it had to be loaded at the very end to work).
> But this is a rather uncommon setup and providing a config snippet is
> definitely the way to go here. Thanks for changing it and switching to
> dh_apache2.
Umh, now, I haven't checked as atm I don't have anything handy to check
this, and I'm not and apache2 master, but it really ought to work
anyway; unless you explicitly allow it again it should really work.
On the bright side, I've made changes to my little deployment and now
I'm using the -apache2 package too.
I've made some changes to it, I think the most "difficult" change is
commit 365c3380ccab44b611d7a3edd6a9c4d6cf8ccabe please tell me what you
think of that. I wrote my reasons in the commit msg, but tell me :)
> > I've already installed the resulting .deb on one of my servers, but I
> > have to admit that I already have some infrastructure around LE, so I
> > won't use the packaged configuration, nor the apache snippet by myself
> > (at least not yet).
> >
>
> I have quite some infrastructure that I would like to use it for. I
> check if I can migrate one candidate to fully make use of the packaging
> later this week.
How did it went?
> > Something I need help/suggestion for: I quite dislike the name
> > letsencrypt.sh-challenge-response-apache2, I find it way too long :\
> > Can we think of something more nice? :)
> >
>
> Yeah, you're right - pretty unhandy. I renamed it to simply
> letsencrypt.sh-apache2 in debian/master - but feel free to propose an
> other name.
that name's cool for me! :)
> I would like to see the following features added to the packaging:
> - Ship some automatism, so the renews do not need to be done manually
I don't know. I've yet to enable automatic renewals. Given that I'm
still doing stuff and playing with it I run so often anyway.
Also, automatic renewals implies cron: that means deciding how often you
want to do that. And considering that letsencrypt.sh does not have a
silent mode really useful for cron (I wouldn't want to be "constantly"
emailed just to know that nothing has been done).
And also means we need to install a letsencrypt.sh user or something to
run it with, and then IMHO it'll become a really complicated package for
a shell scrip...
> - Add ngnix support (similar to the apache2 one)
I'm not a ngnix person, I wouldn't know how to do it.
What about leaving it for somebody else to supply a patch?
> Besides that, it would be wise to deny execution by user root per
> default, but this should better be implemented upstream. I'll try to
> work on this later this week - or more likely on the weekend.
Yes, this should be done upstream.
What do think is it needed after all of this?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature