Conversation
Notices
-
Benedikt GeiΓler π (benediktg@gnusocial.de)'s status on Saturday, 04-Jun-2016 01:32:01 UTC 
Benedikt GeiΓler π
The TLS certificate on quitter.no has just expired.
βquitter.no uses an invalid security certificate. The certificate expired on 04.06.2016 02:23. The current time is 04.06.2016 03:29. Error code: SEC_ERROR_EXPIRED_CERTIFICATEβ- Claes Wallin (ιεθͺ ) repeated this.
-
Tobias Schmidl (schtobia@gnusocial.de)'s status on Saturday, 04-Jun-2016 02:08:14 UTC 
Tobias Schmidl
@benediktg well, "let's encrypt"! π (IMHO, an SSL stack that is dependent on an external tool, that's just plain wrong for me. Good thing @vinzv has gone for RapidSSL for !gnusocialde .) Claes Wallin (ιεθͺ ) repeated this. -
rugk (rugk@gnusocial.de)'s status on Saturday, 04-Jun-2016 08:25:59 UTC 
rugk
@schtobia The client can be anything. It does not have to depend on some library. There is e.g. letskencrypt: https://gnusocial.de/url/2898211
And also with RapidSSL you of course have to use an SSL stack. So I don't really see the relation to LE here.Claes Wallin (ιεθͺ ) likes this.Claes Wallin (ιεθͺ ) repeated this. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Saturday, 04-Jun-2016 09:19:19 UTC
Tobias Schmidl
@rugk I don't want an additional client at all, since there already *is* a client for managing CSRs and X509 - it's called OpenSSL. Everything else is redundant.
(And if you're concerned about OpenSSL, there are two possibilities: Fixing the bugs or switching to LibreSSL. There's simply no *point* in developing an alternative client if you don't trust your SSL lib, since it *will* have access to your key.)Claes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Sunday, 05-Jun-2016 19:00:48 UTC 
Claes Wallin (ιεθͺ )
@schtobia @rugk You are mixing things up. LE/Acme is simply about automated renewal, not about stack choice. Automation FTW. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Sunday, 05-Jun-2016 22:42:13 UTC
Tobias Schmidl
@clacke I do automation for a living, so believe me when I say: Automation fails. At the wrong time. In the worst possible way. (I'm currently 10.000 km away from home because of that.) The smaller the things are that you can do manually, the bigger your problem will be. (which is why letsencrypt.sh is worth a look) @rugk Claes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Monday, 06-Jun-2016 03:28:42 UTC
Claes Wallin (ιεθͺ )
@schtobia Humans fail too. When letsencrypt automation fails, you have 30 days to fix it. With humans failing, cert often already overdue. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Monday, 06-Jun-2016 08:27:01 UTC
Tobias Schmidl
@clacke yup, that's why @rugkΒ convinced me that a short lifetime is actually a good thing to get your stuff together. But it's one thing to have assistance as letsencrypt.sh does, or doing the full blown automatic stuff. The first one assists you, the second one puts you under tutelage. And then blows up spectacularly. Claes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Tuesday, 07-Jun-2016 10:18:58 UTC
Claes Wallin (ιεθͺ )
@schtobia @rugk What it does is not super complicated. If it blows up and one is forced to learn it, so be it. If it doesn't, effort saved. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Tuesday, 07-Jun-2016 13:43:08 UTC
Tobias Schmidl
@clacke Again, there's a difference between assisting and patronizing. If you want to automate ALL the things, why not voting? You have the polls, you known within a certain margin who's gonna be elected, so why not automatize the process? Would be much for error-proof?
The same goes for SSL. Not everything that's doable should also be done. And messing with my nginx.conf or my certs is *my* business alone. (Also, this client doesn't need root. This is just a fancy wrapper for openssl and curl, this really, really, really doesn't need root privileges.) @rugkClaes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Wednesday, 08-Jun-2016 11:28:13 UTC
Claes Wallin (ιεθͺ )
@schtobia @rugk We simply disagree on the complexity of cert renewal and the feasability of auto without escalated privileges or incident. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Thursday, 09-Jun-2016 03:16:22 UTC
Tobias Schmidl
@clacke oh no, not at all. I think "Let's Encrypt" is doing a wonderful job by lowering the process costs of cert renewal. I'm simply stating that just because you *can* automate the process completely, this doesn't mean that you *should* do it. Crucial parts of any process have to remain within manual overlook - and verifying identities is IMHO verify crucial.
So we disagree on two terms:
- No, I don't think full 100% automation of /any process/ is doable on a larger scale for an extended period of time, since you will sometimes fail, and then fail big time.Β Which is not a problem if you talk about log files, but a very big problem if you talk about certs. Risk is potential damage multiplied with probability of occurrence. (the latter being alwaysΒ β zero)
- No I don't think this is a good idea, even unrelated to the feasability. Because of the missing manual oversight.
And that's why "Let's encrypt" only became interesting to me after looking into letsencrypt.sh . Which doesn't need root.Β @rugkClaes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 09-Jun-2016 16:55:07 UTC
Claes Wallin (ιεθͺ )
@schtobia Are you 100% certain the standard #letsencrypt stuff requires root? Haven't used it myself, but I don't see why it would need it. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 09-Jun-2016 16:58:45 UTC
Claes Wallin (ιεθͺ )
@schtobia For my next web setup I'm probably going to use letsencrypt-nginx-docker or caddy, for minimum manual interference. -
lnxw48 (Linux Walt) (lnxw48@fresh.federati.net)'s status on Thursday, 09-Jun-2016 17:05:34 UTC 
lnxw48 (Linux Walt)
@clacke Doesn't it write certs into priveleged directories and edit webserver cofig files? Both of those should require root. Claes Wallin (ιεθͺ ) repeated this. -
Tobias Schmidl (schtobia@gnusocial.de)'s status on Thursday, 09-Jun-2016 19:12:49 UTC
Tobias Schmidl
@clacke "[β¦] certbot itself needs root access for almost all modes of operation." https://gnusocial.de/url/2908424 Claes Wallin (ιεθͺ ) repeated this. -
Charles Roth MPC (charlesrothmpc@micro.fragdev.com)'s status on Thursday, 09-Jun-2016 19:56:47 UTC 
Charles Roth MPC
I use letsencrypt and would never go back. Claes Wallin (ιεθͺ ) repeated this. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 09-Jun-2016 21:28:38 UTC
Claes Wallin (ιεθͺ )
@schtobia Urgh. Ok. -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 09-Jun-2016 21:31:24 UTC
Claes Wallin (ιεθͺ )
@lnxw48 It would require write access to a specific directory. Conf could be a drop file in a conf.d. But apparently they went for root. :-( -
Claes Wallin (ιεθͺ ) (clackemovedtoheldscalla@quitter.se)'s status on Sunday, 12-Jun-2016 18:58:09 UTC
Claes Wallin (ιεθͺ )
@charlesrothmpc @schtobia Fully automated?
All Chirp! content and data are available under the