cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: Jan Dittberner <jandd AT cacert.org>, cacert-sysadm AT lists.cacert.org
- Subject: Re: Apache / Debain packaging / SSL Regnegiotation
- Date: Fri, 26 Mar 2010 19:29:13 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Organization: CAcert
On Friday 26 March 2010 19:07:26 Jan Dittberner wrote:
> <jandd AT debian.org
> hat on>
>
> > So my question is - how to go for Bern infrastructure?
> > 1. squeeze
>
> Don't bet on Squeeze yet, we are not even in freeze.
>
good to know.
> > 2. lenny and create/maintain backported apache2
>
> I will try how much has to be changed in the package to backport the
> squeeze version. If there is not too much effort necessary to maintain a
> backport we could go this way.
thank you.
> I suggest to use the official backports.org
> infrastructure then.
yep.
> </jandd AT debian.org
> hat on>
thanks for hat sharing :-)
> > 3. more IPs
>
> we should have at least some spare IPs, but I (and others like IanG) would
> like to implement SNI.
me too - its the perfect way to deploy it relativity risk free.
Pity more nice things like SSLOCSPEnable aren't in a stable release yet but
good to know they are coming.
http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspenable
> > 4. something else?
>
thought of option 4
4. A VM with a SNI apache acting as a reverse-proxy somehow pushing SSL vars
to other instances. I've never done a reverse-proxy and /or worked out
application compatibility so tell me if this is hard/wrong.
Could be done without SNI with a big certificate with multiple names if
really
needed.
> Who will create the certficates/keys for all of these hostnames?
keys - me, you and any other admin
I might do them all at once as it may be easier that way. I'll check I'm
generating the right thing with each of you first.
certificates:
http://wiki.cacert.org/SystemAdministration/Procedures/CertificateIssuing
and maybe soon even me:
https://lists.cacert.org/wws/arc/cacert-board/2010-03/msg00112.html
--
Daniel Black
Infrastructure Team Lead
CAcert
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Apache / Debain packaging / SSL Regnegiotation, Daniel Black, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Jan Dittberner, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Daniel Black, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Ian G, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Jan Dittberner, 03/26/2010
Archive powered by MHonArc 2.6.16.