We are grateful to the excellent work delivered by our Student Intern Michael Andrejczuk for all the aspects of this project, during which he:
- analysed the University's current certificate usage, including those parts who have already started using the Let's Encrypt CA
- actively engaged with the Apache HTTPD and Inline with Upstream Stable organisations to understand their release constraints, to provide feedback and test their packages
- rapidly familiarised himself with our configuration management system and developed the code to allow us to deploy test servers running his custom build of the Apache HTTP daemon
- designed and implemented a proof of concept on a development load balancer
- surveyed the University community for usage of the nginx web server
- added valuable effort to a wide range of our team's operational activities
Key Learning Points
- Appointing the right student to the internship is critical to the success of our section's projects. This year we promoted the post in the School of Informatics and had several excellent candidates.
- On a short term internship, we need to integate the student into our section as quickly as we can, commensurate with our trust relationship with them.
- Inline with Upstream Stable have still not made a supported release of their Apache HTTP package with the Managed Domain feature
- Many of our services we would like to protect with Let's Encrypt certificates are only exposed on our private network and are thus unable to use the HTTP ACME challenge. Unfortunately, our DNS infrastructure is not ready to respond to the DNS ACME challenge.
- Let's Encrypt does not issue Extended Validation certificates, which we should be considering for many of our core services as they show as "The University of Edinburgh" in browser address bars.