Tomasz Torcz via FreeIPA-users wrote: > On Thu, Jul 25, 2024 at 04:35:19PM -0400, Rob Crittenden via FreeIPA-users > wrote: >> I'm glad to hear you're up and running again. >> >> Note that LE frowns extremely hard at the way we hardcode the >> intermediates and have told us that this will break again eventually. >> >> So keep this in the back of your mind. > > So… why hardcode the intermediares instead of main CA? >
Because TLS is hard and we try to make it easier for people. This involves validating chains on import to guarantee the whole thing is available. It's a choice we may have to revisit but so, so many people don't understand TLS at all, or want to, and just want things to work. Also note that this script is effectively unsupported. It was open-sourced because that's what we do, but it was made for our demo site to keep the cert valid. Unless that breaks we tend not to spend a lot of time on the script. I've been trying to be more reactive to questions and issues and by "more" I mean at all and that is often weeks later. It's not something to be proud of but it is what it is. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
