βquitter.no uses an invalid security certificate. The certificate expired on 04.06.2016 02:23. The current time is 04.06.2016 03:29. Error code: SEC_ERROR_EXPIRED_CERTIFICATEβ
@benediktg well, "let's encrypt"! π (IMHO, an SSL stack that is dependent on an external tool, that's just plain wrong for me. Good thing @vinzv has gone for RapidSSL for !gnusocialde .)
@rugk I don't want an additional client at all, since there already *is* a client for managing CSRs and X509 - it's called OpenSSL. Everything else is redundant. (And if you're concerned about OpenSSL, there are two possibilities: Fixing the bugs or switching to LibreSSL. There's simply no *point* in developing an alternative client if you don't trust your SSL lib, since it *will* have access to your key.)
@clacke I do automation for a living, so believe me when I say: Automation fails. At the wrong time. In the worst possible way. (I'm currently 10.000 km away from home because of that.) The smaller the things are that you can do manually, the bigger your problem will be. (which is why letsencrypt.sh is worth a look) @rugk
@clacke yup, that's why @rugkΒ convinced me that a short lifetime is actually a good thing to get your stuff together. But it's one thing to have assistance as letsencrypt.sh does, or doing the full blown automatic stuff. The first one assists you, the second one puts you under tutelage. And then blows up spectacularly.
@clacke Again, there's a difference between assisting and patronizing. If you want to automate ALL the things, why not voting? You have the polls, you known within a certain margin who's gonna be elected, so why not automatize the process? Would be much for error-proof?
The same goes for SSL. Not everything that's doable should also be done. And messing with my nginx.conf or my certs is *my* business alone. (Also, this client doesn't need root. This is just a fancy wrapper for openssl and curl, this really, really, really doesn't need root privileges.) @rugk
@clacke oh no, not at all. I think "Let's Encrypt" is doing a wonderful job by lowering the process costs of cert renewal. I'm simply stating that just because you *can* automate the process completely, this doesn't mean that you *should* do it. Crucial parts of any process have to remain within manual overlook - and verifying identities is IMHO verify crucial.
So we disagree on two terms: - No, I don't think full 100% automation of /any process/ is doable on a larger scale for an extended period of time, since you will sometimes fail, and then fail big time.Β Which is not a problem if you talk about log files, but a very big problem if you talk about certs. Risk is potential damage multiplied with probability of occurrence. (the latter being alwaysΒ β zero) - No I don't think this is a good idea, even unrelated to the feasability. Because of the missing manual oversight.
And that's why "Let's encrypt" only became interesting to me after looking into letsencrypt.sh . Which doesn't need root.Β @rugk