On Wed, Jul 19, 2017 at 1:42 PM, Niklas Keller <m...@kelunik.com> wrote:
> > We should really change that and fully move to HTTPS. > I have looked at various ways of doing this, but it isn't trivial and it has absolutely nothing to do with the actual html and slapping in some https links instead of http. The problem here is that we have external volunteers running all our mirrors and we do geo-dns for www.php.net to your geographically close mirror site. Putting the private key for www.php.net on dozens of servers around the world we don't control is a non-starter. One way that I played with was to use letsencrypt and have each mirror request an ssl cert for their local mirror, ca1.php.net, for example, and include a CN alias for www.php.net in that request. Then we would run domain a validation gateway/proxy on www.php.net which would validate these requests on behalf of the mirrors. But there are some security issues with this approach that I haven't quite thought through. I would love to hear suggestions for perhaps a simpler solution to this problem that doesn't require pasting our private key all over the internet. -Rasmus