Hi Mike,
I'm not sure about the bigger picture within museums, but when we moved IWM onto SSL-all-the-time (rather than just for forms/admin) we had to deal with a few complications, and I imagine they might deter others too.
So we wanted to move to Let's Encrypt, as we'd done on many simpler sites, but there were two issues: firstly, the load balancer. The cloud LBs at rackspace can't have Let's Encrypt (well, certbot) on them, and since that system has moved to providing certificates
of short duration that would mean generating the certificates somewhere else - a bit tricky in itself IIRC - and frequently uploading them to the LB. That rather wrecks the sweet automation that is one of the attractions of certbot. Secondly, if instead of
terminating at the LB we passed encrypted traffic to the servers and ran certbot there instead, our cache - Varnish - wouldn't work, because it does HTTP only.
I think what is still happening in that instance is that the certificate has cone from an old-school provider and terminates on the loss balancer, and unencrypted traffic is passed through to Varnish on the servers behind it. In another case, though, where
no load balancer was involved, we put HAProxy in front of Varnish just to handle certificate termination (it's also perfectly good as a cache so you might just use that).
Probably too much detail, but I just wanted to note that any set-up beyond the plain vanilla may turn out to be off-puttingly fiddly for some people. Some ISPs are also still charging for something that should be free and they could probably do more to ensure
that certbot worked on all their products. It's not an excuse not to go SSL all the way, though, and your site and web presence will definitely suffer more and more if you don't.
Cheers, Jeremy
Mike Ellis <
[log in to unmask]> wrote:
Hey all
I'm doing a bulk migration job today - actually, nothing to do with museums - but I'm noticing that about 80% of the sites I'm looking at aren't SSL'd.
We did a (really nasty / boring) bit of work moving 60 or so client sites to https on the runup to the GDPR deadline - we consider it to be an important component part of this - and Let's Encrypt was definitely our friend [
https://letsencrypt.org/]...
Thoughts....?
tt
Mike
_____________________________
Mike Ellis
Thirty8 Digital: a small but perfectly formed digital agency:
http://thirty8.co.uk
To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1
To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1