Tracking task to replace librenms's sha1 cert with sha256, in multiple steps:
- - reissue certificate in sha256
- - update configuration to use new certificate
- - push changes live
- - revoke old sha1 certificate
Tracking task to replace librenms's sha1 cert with sha256, in multiple steps:
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | RobH | T73156 Replace SHA1 certificates with SHA256 | |||
Resolved | Dzahn | T100831 replace librenms's sha1 cert with sha256 |
Change 214676 had a related patch set uploaded (by RobH):
replace librenms's sha1 cert with sha256
librenms doesn't use an individual .erb template for the Apache config.
instead it uses @webserver::apache::site which uses templates/apache/generic_vhost.erb which includes:
SSLCACertificatePath /etc/ssl/certs
but we want to change that and just specify the chained file, but that would affect other services, which is a drawback to using a generic template for everything
Change 215840 had a related patch set uploaded (by Dzahn):
apache generic_vhost: add SSLCertificateChainFile
replaced cert without making an additional config change
signature algorithm is now SHA256withRSA
grade A- https://www.ssllabs.com/ssltest/analyze.html?d=librenms.wikimedia.org
the - in A- is because not supporting PFS which is because this uses Apache 2.2 which is because netmon1001 is precise