[DRE-commits] [diaspora-installer] 01/08: update templates for ssl/tls certificates

[Praveen Arimbrathodiyil]

This is an automated email from the git hooks/post-receive script.

praveen pushed a commit to branch master
in repository diaspora-installer.

commit 1955ba2fbf5e74d2f14dd9e95ee2663c318bac6d
Author: Praveen Arimbrathodiyil <praveen at debian.org>
Date:   Sat Dec 31 13:22:41 2016 +0530

    update templates for ssl/tls certificates
---
 debian/diaspora-common.templates | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/debian/diaspora-common.templates b/debian/diaspora-common.templates
index 89d0b04..8f5454f 100644
--- a/debian/diaspora-common.templates
+++ b/debian/diaspora-common.templates
@@ -25,20 +25,43 @@ Template: diaspora-common/ssl
 Type: boolean
 Default: true
 _Description: Enable https?
- Enabling https means that an SSL certificate is required to access this
+ Enabling https means that an SSL/TLS certificate is required to access this
  Diaspora instance (as Nginx will be configured to respond only to https
  requests). A self-signed certificate is enough for local testing (and
  can be generated using, for instance, the package easy-rsa), but will
  not be accepted for federation with other Diaspora pods.
  .
- Some certificate authorities like StartSSL (startssl.com) or WoSign
- (buy.wosign.com/free) offer free SSL certificates that work with Diaspora;
+ Some certificate authorities like Let's Encrypt (letsencrypt.org), StartSSL
+ (startssl.com) offer free SSL/TLS certificates that work with Diaspora;
  however, certificates provided by CAcert will not work with Diaspora.
  .
+ Nginx must be reloaded after the certificate and key files are made available
+ at /etc/diaspora/ssl. letsencrypt package may be used to automate interaction
+ with Let's Encrypt to obtain a certificate.
+ .
  You can disable https if you want to access Diaspora only locally, via
  Unicorn on port 3000. If you disable https, Nginx configuration will be
  skipped.
 
+Template: diaspora/letsencrypt
+Type: boolean
+Default: false
+_Description: Use Let's Encrypt?
+ Symbolic links to certificate and key created using letsencrypt package
+ (/etc/letencrypt/live) will be added to /etc/diaspora/ssl if this option is
+ selected.
+ .
+ Otherwise, certificate and key files have to be placed manually to
+ /etc/diaspora/ssl directory as '<host name>-bundle.crt' and '<host name>.key'.
+ .
+ Nginx will be stopped, if this option is selected, to allow letsencrypt to use
+ ports 80 and 443 during domain ownership validation and certificate retrieval
+ step.
+ .
+ Note: letsencrypt does not have a usable nginx plugin currently, so
+ certificates must be renewed manually after 3 months, when current
+ letsencrypt certificate expire.
+
 Template: diaspora-common/dbbackup
 Type: note
 _Description: Backup your database

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/diaspora-installer.git