Re: [pmacct-discussion] pmacct.net

Sun, 08 May 2022 04:46:00 -0700 



A quick note to thank you Karl for your always good inputs; let me read 
through and see what actions i can take.


Paolo


On 4/5/22 13:32, Karl O. Pinc wrote:

Hi Paolo,

On Wed, 4 May 2022 01:25:23 -0300
Paolo Lucente <pa...@pmacct.net> wrote:


Somehow i can't reproduce the problem, both pmacct.net and
www.pmacct.net do actually work for me no problem (http of course,
ie. not https, well no https is advertised out nor does it work).

Can you please qualify the issue better (here or by unicast email).


I'm using Mozilla Firefox 91.8.0esr on Debian bullseye (v11.3).

Some browsers of late (I think firefox, at least
in private windows, and maybe other browsers) use
https by default.   So, it's a https problem.  Just typing
"pmacct.net" resulted in a "can't connect" type of message.

https://blog.mozilla.org/security/2021/08/10/firefox-91-introduces-https-by-default-in-private-browsing/

According to the above, this should not be a problem.
But my ISP sucks; dns resolution is slow.  So there's
probably a race condition.  One that does not affect
very many people.



Should you decide to use HTTPS, here's my certbot command
(for the debian certbot package which uses the free letsencrypt.org
service):

certbot certonly --webroot \
                  --webroot-path /var/www/webserver \
                  --domains foo.example.com,bar.example.com,... \
                  --renew-with-new-domains

I prefer not to let certbot frob the webserver configs.  So you'll
then need to add the cert files found in
/etc/letsencrypt/live/<certname>/ to the TLS configs for your
webserver.  (See /etc/letsencrypt/live/README.)

The debian certbot package comes with a systemd timer to renew
the certs.  (And a systemd service.)  They probably come
enabled out of the box but check with "systemctl status ...".

As an FYI, the way certbot issuance/renewal works is that first a cookie
is obtained and dropped into the http document root.  When the
letsencrypt server verifies the cookie using http, it knows that you
run the website and then issues you a cert.

See also:

https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html

FWIW, using HTTPS is supposed to get you a better google ranking.

Regards,

Karl <k...@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

P.S.  If you want to use the certbot web cert to secure your
SMTP traffic I have a hook I can send you that works with postfix.
You'll have to frob it to get the certs onto your secondary MX.


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists






















					Reply via email to