The Weekly Notes are a way for me to group a couple of short, but interesting, things that I found of note in the past week into a single article. It will generally be either articles or tools that might not be big enough (yet) to dedicate a whole article on, and the number of subjects will differ from week to week. In short, it’s a way for me to express my opinion about things in a way that stops me from spamming you with short links all the time while also triggering me to post something every week.
Let’s Encrypt and automated SSL certificates
Let’s Encrypt is a service with the very laudable goal of providing free SSL certificates. They intend to do so by providing a client that you can run on your server, and that you can use to retrieve a new certificate. It will also automatically install this certificate and restart your web server. The reason you need the client is because these certificates will only be valid for a maximum of 90 days (and possible even less in the future) so it is recommended that you retrieve a new certificate before that time expires, preferably using a cronjob.
Obviously, that sounds great and there are a number of advantages to this. First of is the security standpoint, having short lived certificates means that any compromises related to a specific certificate will be short lived and a replacement certificate will show up shortly. Secondly, and related, is the automation part. Especially when dealing with a lot of servers, it becomes so much easier to deal with not having to think about expiring certificates when there is a task running that will simply renew your certificates every couple of weeks.
Because of this, I played around with it when I got my invitation to the closed beta last week (the plan is to launch the public beta on the 3rd of December). Now, this is obviously still a Developer Preview of a first release so it’s obviously not going to be perfect. Still, from what I’ve seen so far the tool/client for generating the certificates is interesting. It is far from perfect though, and as a first version it is focused on a simple use case that will no doubt be extended in the future.
Naturally, the most important part of the process is verification that you actually own the site you are generating the certificate for. At the moment this is done by the client checking if a file is present on the site and (in case you run it automatically) if the IP address that file is found matches that of the DNS record for the site.
That seems like a fair enough check, but it causes problems for certain use cases that I’m interested in. The first type of these is a site like mine: a static site isn’t hosted on a server, but instead on an S3 bucket. I can generate the certificate by using the manual plugin, but that then requires a couple of manual steps. I am investigating solutions for this, and if I figure out a way to make it work I’ll let you know.
The second use case this breaks down for is development servers and other machines that might not be available publicly. At the moment the only way to generate certificates for these seems to be by making these servers publicly accessible, which is obviously not the best solution. According to forum posts support for validation through DNS is in the works, but not scheduled for launch.
That said, even if you don’t have access to the private beta, I still recommend trying out the public beta when it launches in December and see how it works for you.
AWS Releases Go SDK
They’ve been working on it for a long time, but AWS announced version 1.0 of their Go API. Ever since they took over the code written by Stripe they’ve been improving on it to make it match the functionality of the APIs for other languages. I have used the early versions of the API, but judging by the improvements even just since the Developer Preview I’ve got some catching up to do. I’ll need to come up with a project I can use it for soon.