Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday March 14 2019, @02:30PM   Printer-friendly
from the certs-are-not-just-a-breath-mint dept.

With many thanks to The Mighty Buzzard riding shotgun and helping me through some misunderstandings, I updated the certificates (certs) for all of SoylentNews' domains. Our certs are now good through: Wednesday, June 12, 2019.

Everything seemed to go as expected. If you experience any issues, please mention them here, or pop onto our IRC channel using your favorite client or the web interface and speak up in the #dev or #Soylent channel.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by isostatic on Thursday March 14 2019, @08:32PM (3 children)

    by isostatic (365) on Thursday March 14 2019, @08:32PM (#814433) Journal

    Looks like they moved to wildcard certs for

    DNS Name: *.soylentnews.org
    DNS Name: *.sylnt.us
    DNS Name: soylentnews.org
    DNS Name: sylnt.us

    last July.

    However before then there were 17 certs with lets encrypt
    chat.soylentnews.org
    chat.sylnt.us
    dev.soylentnews.org
    irc1.sylnt.us
    irc2.sylnt.us
    irc-logs.soylentnews.org
    irc.soylentnews.org
    irc-stats.soylentnews.org
    irc.sylnt.us
    lists.soylentnews.org
    logs.sylnt.us
    mail.soylentnews.org
    postfixadmin.soylentnews.org
    stats.sylnt.us
    vm.soylentnews.org
    webmail.soylentnews.org
    wiki.soylentnews.org

    There was also a cert for www.soylentnews.org with Gandi, but that expired last june. Go back to 2015 and there was also "chillax.soylentnews.org", which had a Startcom cert (I think they were free -- they were/are a Chinese CA that got into some wrongdoing a couple of years ago)

    All of those appear to host pages on port 80, so I'm interested in the reason to not use /.well-known/acme-challange authentication, with a weekly renewal cronjob running. Avoid spreading a wildcard cert/key so far and wide, and have nothing manual to do.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by NewNic on Thursday March 14 2019, @08:52PM

    by NewNic (6420) on Thursday March 14 2019, @08:52PM (#814451) Journal

    Exactly.

    It's very easy to have multiple names in a certificate with Let's encrypt.

    --
    lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
  • (Score: 2) by The Mighty Buzzard on Thursday March 14 2019, @09:34PM (1 child)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Thursday March 14 2019, @09:34PM (#814495) Homepage Journal

    You can't use http challenges for wildcard certs, must be dns-01.

    --
    My rights don't end where your fear begins.
    • (Score: 2) by isostatic on Friday March 15 2019, @04:35PM

      by isostatic (365) on Friday March 15 2019, @04:35PM (#814862) Journal

      Which goes back to the question of why use a wildcard cert