Good idea! It is now a wiki!
Thanks Jeff, I’ve updated the first post with @brahn’s updates from Jul '17
Got a suspicion something’s changed here, this script no longer works fully. One of my subdomains isn’t working anymore. I’ll investigate when I have more time. But FYI and perhaps someone will know something …
Yeah, looks like the web.letsencrypt.ssl.template.yml has changed recently and the after_ssl replace hook will no longer work. Unless someone else fixes it first I will eventually get to it but I am swamped at the moment so it might take a few weeks.
Since this commit from @gerhard the subject alternate names are no longer added due to the implementation of ECC. This effectively breaks any multisite installations which use the above method. cc:@sam
A site that I just attempted to upgrade is no longer getting certs at all.
EDIT: Just saw @gerhard’s edit. I’ll give it a shot in a minute and report back.
Yeah, the edit in the OP is untested, but I think it should work. I’d like to make this less fragile… maybe I can add some kind of env variable for all the hostnames, so that the hacky replace isn’t needed anymore.
And sorry for the problems this new elliptic curve certificate caused. I didn’t know that this Howto topic existed, otherwise I would have been more careful.
Thanks, @gerhard! I can confirm that it works!
The site that I just upgraded works for both
https://www.example.com (which redirects to apex domain).
Why did we need this cert?
IE11 on Windows 7/8 needed it because none of the cipher suites recommended by Mozilla would work otherwise. As a bonus: All modern browsers prefer ECDA over RSA and profit from it as well. It’s smaller and faster.
I see, there are more details here
Is there something up with the replace statement here? I tested it as written, but looking inside the container at
/etc/runit/1.d/letsencrypt a line break appears as follows:
--keylength $1 -w /var/www/discourse/public
Ok looks as though the to: line needs to be:
to: "-d www.main-domain.com -d second-domain.com -d www.second-domain.com -d other-domain.com -d www.other-domain.com --keylength"
Although inspecting the certificate it still doesn’t seem to correctly install.
Do the acme.sh statements also need updating to include the domains?
@gerhard I haven’t had any more time to dig through this and figure out what else was broken, but I’ve just heard from someone else who hasn’t been able to get additional sites working with yourfix. Any thoughts?
This one case doesn’t seem to be disrupted, multiple domains to the default site, but multisite isn’t functioning at all.