[mailop] Expires SSL cert for mailop

2018-09-12 Thread Matt Gilbert via mailop 
Hey gang,

I was showing mailop to a new member of my team, and when I went to show them 
where to request signup to the list, I noticed that the SSL certificate has 
expired, which causes most (all?) current browsers to block the page loading. I 
figured you’d want to know.

> chilli.nosignal.org uses an invalid security certificate.
> The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The current time 
> is September 12, 2018, 9:21 AM.
> Error code: SEC_ERROR_EXPIRED_CERTIFICATE


Thanks,
Matt Gilbert
--
Deliverability Engineer | MailChimp
delivery.mailchimp.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-09-12 Thread Mike Hammett 
Those errors have gotten so easy to ignore since you're going to have that 
whenever you access any piece of infrastructure. 

https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf 

Server side, though, Let's Encrypt and be done. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Matt Gilbert via mailop"  
To: "mailop"  
Sent: Wednesday, September 12, 2018 8:24:05 AM 
Subject: [mailop] Expires SSL cert for mailop 

Hey gang, 


I was showing mailop to a new member of my team, and when I went to show them 
where to request signup to the list, I noticed that the SSL certificate has 
expired, which causes most (all?) current browsers to block the page loading. I 
figured you’d want to know. 


> chilli.nosignal.org uses an invalid security certificate. 
> The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The current time 
> is September 12, 2018, 9:21 AM. 
> Error code: SEC_ERROR_EXPIRED_CERTIFICATE 




Thanks, 
Matt Gilbert 
-- 
Deliverability Engineer | MailChimp 
delivery.mailchimp.com 



___ 
mailop mailing list 
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-09-12 Thread Daniel Hadfield 
Perfect time to move to Let's Encrypt :D



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-25 Thread Doug Barton 
Y'all might want to be aware that this issue is being discussed on the 
NANOG list. In the age of Let's Encrypt expired TLS certs are a really 
bad look.


On 9/12/18 6:24 AM, Matt Gilbert via mailop wrote:

Hey gang,

I was showing mailop to a new member of my team, and when I went to show 
them where to request signup to the list, I noticed that the SSL 
certificate has expired, which causes most (all?) current browsers to 
block the page loading. I figured you’d want to know.


 > chilli.nosignal.org  uses an invalid 
security certificate.
 > The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The 
current time is September 12, 2018, 9:21 AM.

 > Error code: SEC_ERROR_EXPIRED_CERTIFICATE


Thanks,
Matt Gilbert
--
Deliverability Engineer | MailChimp
delivery.mailchimp.com 



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-25 Thread steve 
http://chilli.nosignal.org won't be using any cert (:

October 26, 2018 4:58 PM, "Doug Barton"  wrote:

> Y'all might want to be aware that this issue is being discussed on the NANOG 
> list. In the age of
> Let's Encrypt expired TLS certs are a really bad look.
> 
> On 9/12/18 6:24 AM, Matt Gilbert via mailop wrote:
> 
>> Hey gang,
>> I was showing mailop to a new member of my team, and when I went to show > 
>> them where to request
>> signup to the list, I noticed that the SSL > certificate has expired, which 
>> causes most (all?)
>> current browsers to > block the page loading. I figured you’d want to know.
>>> chilli.nosignal.org  uses an invalid > security 
>>> certificate.
>>> The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The > current 
>>> time is September 12,
>> 2018, 9:21 AM.
>>> Error code: SEC_ERROR_EXPIRED_CERTIFICATE
>>> Thanks,
>> Matt Gilbert
>> --
>> Deliverability Engineer | MailChimp
>> delivery.mailchimp.com 
 ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-26 Thread Mike Hammett 
HTTP is pointless in this case because it just redirects to HTTPs. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: st...@greengecko.co.nz 
To: "Doug Barton" , mailop@mailop.org 
Sent: Thursday, October 25, 2018 11:11:04 PM 
Subject: Re: [mailop] Expires SSL cert for mailop 

http://chilli.nosignal.org won't be using any cert (: 

October 26, 2018 4:58 PM, "Doug Barton"  wrote: 

> Y'all might want to be aware that this issue is being discussed on the NANOG 
> list. In the age of 
> Let's Encrypt expired TLS certs are a really bad look. 
> 
> On 9/12/18 6:24 AM, Matt Gilbert via mailop wrote: 
> 
>> Hey gang, 
>> I was showing mailop to a new member of my team, and when I went to show > 
>> them where to request 
>> signup to the list, I noticed that the SSL > certificate has expired, which 
>> causes most (all?) 
>> current browsers to > block the page loading. I figured you’d want to know. 
>>> chilli.nosignal.org <http://chilli.nosignal.org> uses an invalid > security 
>>> certificate. 
>>> The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The > current 
>>> time is September 12, 
>> 2018, 9:21 AM. 
>>> Error code: SEC_ERROR_EXPIRED_CERTIFICATE 
>>> Thanks, 
>> Matt Gilbert 
>> -- 
>> Deliverability Engineer | MailChimp 
>> delivery.mailchimp.com <http://delivery.mailchimp.com> 
>>>> ___ 
>> mailop mailing list 
>> mailop@mailop.org 
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 
> ___ 
> mailop mailing list 
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 

___ 
mailop mailing list 
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-26 Thread Mark Milhollan 
On Thu, 25 Oct 2018, Doug Barton wrote:

>In the age of Let's Encrypt expired TLS certs are a really bad look.

Let's Encrypt changes little, processes can break whether they are 
yearly, bi-yearly or monthly.  Granted you'd think there would be 
monitoring and then reasonably quick restoration.


/mark

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-26 Thread Thomas Walter 
Hey Mark,

On 26.10.18 17:34, Mark Milhollan wrote:
> Let's Encrypt changes little, processes can break whether they are 
> yearly, bi-yearly or monthly.  Granted you'd think there would be 
> monitoring and then reasonably quick restoration.

Let's Encrypt automates the whole process and in case that doesn't work
for whatever reason it sends you reminders by mail way before the
certificate finally expires.

If the main process and the backup reminder both fail, you are doing
something wrong ;).

Regards,
Thomas Walter

-- 
Thomas Walter
Datenverarbeitungszentrale

FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster

Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-26 Thread Noel Butler 
On 27/10/2018 04:40, Thomas Walter wrote:

> Hey Mark,
> 
> On 26.10.18 17:34, Mark Milhollan wrote: 
> 
>> Let's Encrypt changes little, processes can break whether they are 
>> yearly, bi-yearly or monthly.  Granted you'd think there would be 
>> monitoring and then reasonably quick restoration.
> 
> Let's Encrypt automates the whole process and in case that doesn't work
> for whatever reason it sends you reminders by mail way before the
> certificate finally expires.
> 
> If the main process and the backup reminder both fail, you are doing
> something wrong ;).
> 
> Regards,
> Thomas Walter

Problem with letsencrypt is their preferred and insisted " certbot "  -
does not run (easily at least) on all flavours.. 
I gave up with it on slackware which is what my servers run, tried using
Crypt::LE and voila instant success, it was painless to use even for
(tested at least) renews, although it requires a working webserver so
come time to replace my comodo's on my MX's, will give me another
challenge :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-26 Thread Dave Warren 
On Fri, Oct 26, 2018, at 19:29, Noel Butler wrote:
> Problem with letsencrypt is their preferred and insisted " certbot "
> - does not run (easily at least) on all flavours..> I gave up with it on 
> slackware which is what my servers run, tried
> using Crypt::LE and voila instant success, it was painless to use even
> for (tested at least) renews, although it requires a working webserver
> so come time to replace my comodo's on my MX's, will give me another
> challenge :)
https://letsencrypt.org/docs/client-options/ does recommend starting with 
Certbot, but it certainly makes it clear that there are alternative options: 
"If certbot does not meet your needs, or you’d simply like to try something 
else, there are many more clients to choose from below"
You also don't need to generate your certificate on the same machine
that hosts the services using the certificates. It can either increase
or reduce complexity depending on the particulars of your environment,
but I generate most of my certificates centrally using DNS based
authorization and either push or pull the certificates based on what is
appropriate.
It is an imperfect world, and this definitely applies to Let's Encrypt's
documentation, but I've had good success building on top of what is
already out there to get a custom solution when I don't see a perfect
cookiecutter fix.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-27 Thread Tylor Newman via mailop 
Very well said, Dave.

 

I was going to send a more heated email about this last night, but refrained 
from doing so. You explained my position in a much more elegant manner!

 

Like anything tech, Letsencrypt isn’t perfect, but in this day and age of free 
SSL certificates, there’s little to no reason not to be using it.

 

Tylor Newman

Linux Systems Administrator

Email:  <mailto:tylo...@tylor.me> tylo...@tylor.me

 

From: Dave Warren  
Sent: Friday, October 26, 2018 11:26 PM
To: mailop@mailop.org
Subject: Re: [mailop] Expires SSL cert for mailop

 

On Fri, Oct 26, 2018, at 19:29, Noel Butler wrote:

Problem with letsencrypt is their preferred and insisted " certbot "  - does 
not run (easily at least) on all flavours..

I gave up with it on slackware which is what my servers run, tried using 
Crypt::LE and voila instant success, it was painless to use even for (tested at 
least) renews, although it requires a working webserver so come time to replace 
my comodo's on my MX's, will give me another challenge :)

 

https://letsencrypt.org/docs/client-options/ does recommend starting with 
Certbot, but it certainly makes it clear that there are alternative options: 
"If certbot does not meet your needs, or you’d simply like to try something 
else, there are many more clients to choose from below"

 

You also don't need to generate your certificate on the same machine that hosts 
the services using the certificates. It can either increase or reduce 
complexity depending on the particulars of your environment, but I generate 
most of my certificates centrally using DNS based authorization and either push 
or pull the certificates based on what is appropriate.

 

It is an imperfect world, and this definitely applies to Let's Encrypt's 
documentation, but I've had good success building on top of what is already out 
there to get a custom solution when I don't see a perfect cookiecutter fix.

 

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-27 Thread Mike Hammett 
None of this actually fixes the problem, though. Do we have the ear of the list 
admin? 

There are apparently other errors with reachability of the list admin address 
and such as well, per reports to me on NANOG. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Tylor Newman via mailop"  
To: "Dave Warren" , mailop@mailop.org 
Sent: Saturday, October 27, 2018 7:22:45 AM 
Subject: Re: [mailop] Expires SSL cert for mailop 



Very well said, Dave. 

I was going to send a more heated email about this last night, but refrained 
from doing so. You explained my position in a much more elegant manner! 

Like anything tech, Letsencrypt isn’t perfect, but in this day and age of free 
SSL certificates , there’s little to no reason not to be using it. 


Tylor Newman 
Linux Systems Administrator 
Email: tylo...@tylor.me 



From: Dave Warren  
Sent: Friday, October 26, 2018 11:26 PM 
To: mailop@mailop.org 
Subject: Re: [mailop] Expires SSL cert for mailop 


On Fri, Oct 26, 2018, at 19:29, Noel Butler wrote: 



Problem with letsencrypt is their preferred and insisted " certbot " - does not 
run (easily at least) on all flavours.. 

I gave up with it on slackware which is what my servers run, tried using 
Crypt::LE and voila instant success, it was painless to use even for (tested at 
least) renews, although it requires a working webserver so come time to replace 
my comodo's on my MX's, will give me another challenge :) 





https://letsencrypt.org/docs/client-options/ does recommend starting with 
Certbot, but it certainly makes it clear that there are alternative options: 
"If certbot does not meet your needs, or you’d simply like to try something 
else, there are many more clients to choose from below" 



You also don't need to generate your certificate on the same machine that hosts 
the services using the certificates. It can either increase or reduce 
complexity depending on the particulars of your environment, but I generate 
most of my certificates centrally using DNS based authorization and either push 
or pull the certificates based on what is appropriate. 



It is an imperfect world, and this definitely applies to Let's Encrypt's 
documentation, but I've had good success building on top of what is already out 
there to get a custom solution when I don't see a perfect cookiecutter fix. 




___ 
mailop mailing list 
mailop@mailop.org 
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Frands Bjerring Hansen 
Noel, 

LE does not insist on certbot. They recommend it, and why wouldn't they? :) 

Use acme.sh instead if you are not able adhere to the requirements of Certbot. 
Acme.sh requires nothing but sh.

Also, it seems like you did not properly read about ways to address the 
problems you mention. Instead of having a webserver you could do DNS 
validation. Acme.sh already supports a ton of DNS implementations: 
https://github.com/Neilpang/acme.sh/tree/master/dnsapi    - and if yours is not 
there, it's easy to write an implementation.

--
Frands Bjerring Hansen
Zitcom A/S - zitcom.dk​





From: mailop  on behalf of Noel Butler 

Sent: Saturday, October 27, 2018 4:29 AM
To: mailop@mailop.org
Subject: Re: [mailop] Expires SSL cert for mailop
  
On 27/10/2018 04:40, Thomas Walter wrote:
 
Hey Mark,

On 26.10.18 17:34, Mark Milhollan wrote:  Let's Encrypt changes little, 
processes can break whether they are 
yearly, bi-yearly or monthly.  Granted you'd think there would be 
monitoring and then reasonably quick restoration.
Let's Encrypt automates the whole process and in case that doesn't work
for whatever reason it sends you reminders by mail way before the
certificate finally expires.

If the main process and the backup reminder both fail, you are doing
something wrong ;).

Regards,
Thomas Walter

 
 
Problem with letsencrypt is their preferred and insisted " certbot "  - does 
not run (easily at least) on all flavours..
I gave up with it on slackware which is what my servers run, tried using 
Crypt::LE and voila instant success, it was painless to use even for (tested at 
least) renews, although it requires a working webserver so come time to replace 
my comodo's on my MX's,  will give me another challenge :)
 
 
 
 
-- 
Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privileged 
information, therefore remains confidential and subject to copyright protected 
under international law.  You may not disseminate, discuss, or reveal, any 
part, to anyone, without the authors express written authority to do so. If you 
are not the intended recipient, please notify the sender then delete all copies 
of this message including attachments, immediately.  Confidentiality, 
copyright, and legal privilege are not waived or lost by reason of the mistaken 
delivery of this message. Only PDF and  ODF documents accepted, please do not 
send proprietary formatted documents   
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 

On 29 Oct 2018, at 5:44, Frands Bjerring Hansen wrote:


Noel, 

LE does not insist on certbot. They recommend it, and why wouldn't 
they? :) 


Use acme.sh instead if you are not able adhere to the requirements of 
Certbot. Acme.sh requires nothing but sh.


Also, it seems like you did not properly read about ways to address 
the problems you mention. Instead of having a webserver you could do 
DNS validation. Acme.sh already supports a ton of DNS 
implementations: https://github.com/Neilpang/acme.sh/tree/master/dnsapi 
   - and if yours is not there, it's easy to write an implementation.


+1 for acme.sh.

I use acme.sh (with the nsupdate module for validation) and it has been 
flawless and simple to set up and use. Having been specifically tasked 
with setting up Certbot for others, I cannot understand why anyone would 
choose Certbot over acme.sh.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2018-10-29 at 09:52 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 5:44, Frands Bjerring Hansen wrote:
> 
> > Noel, 
> > 
> > LE does not insist on certbot. They recommend it, and why wouldn't 
> > they? :) 
> > 
> > Use acme.sh instead if you are not able adhere to the requirements
> > of Certbot. Acme.sh requires nothing but sh.
> > 
> > Also, it seems like you did not properly read about ways to address 
> > the problems you mention. Instead of having a webserver you could
> > do DNS validation. Acme.sh already supports a ton of DNS 
> > implementations: https://github.com/Neilpang/acme.sh/tree/master/dns
> > api   - and if yours is not there, it's easy to write an
> > implementation.
> 
> +1 for acme.sh.
> 
> I use acme.sh (with the nsupdate module for validation) and it has
> been flawless and simple to set up and use. Having been specifically
> tasked with setting up Certbot for others, I cannot understand why
> anyone would  choose Certbot over acme.sh.
> 

You allow nsupdate from your cgi/php/java enabled webserver(s)?  

- -Jim P.



-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlvXG+4ACgkQJxVetMRa
JwXnug//Q8iNeUi3xFmf2aG4R16CRVn0A9OPHnk9GCjPfJytnqx+oCO8xg5sTwrp
bkxgqTYaqoKGLONhjqIefQfBgCdKxYy8LaL9XKOS945BsGCkGu1VbSl6xZmGEPSr
zAzs7/3mpf9INmFNASqHiJksoW8KhJXRzqgmpqBvMCsefWSl1D/WLEqZTxknS+fV
Fz9x//9wMLpb/dVyf7aJVc6hayBJHFcbm+yHlBCZWcT+07ZrrX+9PCWUFg6M2TB8
ZpVihB0tv5KZqjrvi6rnoJDFAsvCNwJe9tsEG7ZMeFmILJ0tk+F4ytBKcOcUcowh
/qM/fa6GzzKFE6QLzzs0mLS2i60tZk8B0BZhEwHYxQ8pRsSz6F4sNuzkJrtqZeUp
9pIxVAKG5DwGlXRAD0uN9lQjQhJ0Au9rY1GGgWyDucWeMEFOTcGZqkmQVDNULciR
GXaZFeMPWjVD7rpeaZ7H7FU9aawpTTpfTQeD9EmWxNETtiXp+lwOGTQg1ifgpZRR
JFwHDIQedxAlo6ocOyRH/WAQpemuZJ6Ygz6mgGmrfd/iJZ1sPhYA1czTBfoaajkp
rUNMEL+QFQjWinMmNpK1aQAs5EfSQLPDBibKzQFgESoQgVddjwpHtYXE9+QMde1D
GfzRbRPVmA0BNK4ZrLCgchHu3RSw0L9tYT8vOM9eosMaUcXv/OM=
=M+IP
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Dave Brockman 
On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
> You allow nsupdate from your cgi/php/java enabled webserver(s)?  
> 
> -Jim P.

No, the whole point of using acme.sh and the nsupdate module is to avoid
running a web server.  You can also run LE with a webserver that doesn't
support cgi, php, or java, it only has to serve up a static directory.

Cheers,

--dtb



signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 11:31 -0400, Dave Brockman wrote:
> On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
> > You allow nsupdate from your cgi/php/java enabled webserver(s)?  
> > 
> > -Jim P.
> 
> No, the whole point of using acme.sh and the nsupdate module is to
> avoid running a web server.  You can also run LE with a webserver that
> doesn'tsupport cgi, php, or java, it only has to serve up a static
> directory.

Obviously.  My point being that it's saner to run a tightened webserver
on a host using certbot than it is to run acme.sh and nsupdate on a full
feature webserver.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Dave Brockman 
On 10/29/2018 11:48 AM, Jim Popovitch via mailop wrote:
> On Mon, 2018-10-29 at 11:31 -0400, Dave Brockman wrote:
>> On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
>>> You allow nsupdate from your cgi/php/java enabled webserver(s)?  
>>>
>>> -Jim P.
>>
>> No, the whole point of using acme.sh and the nsupdate module is to
>> avoid running a web server.  You can also run LE with a webserver that
>> doesn'tsupport cgi, php, or java, it only has to serve up a static
>> directory.
> 
> Obviously.  My point being that it's saner to run a tightened webserver
> on a host using certbot than it is to run acme.sh and nsupdate on a full
> feature webserver.

I personally find nothing sane about certbot.  There are easier, more
lightweight, and auditable solutions available.

Personal preferences aside, is there any assistance I can offer to get a
valid certificate installed at chilli.nosignal.org?

Cheers,

--dtb




signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 

On 29 Oct 2018, at 10:40, Jim Popovitch via mailop wrote:


You allow nsupdate from your cgi/php/java enabled webserver(s)?


My **what?*** Are you high? Do you mean to be insulting???

But no, I don't run anything on my webserver that modifies its own DNS. 
Although I would be vulnerable in theory to something on that machine 
doing a specific update via the right RFC1918 interface using the right 
hmac-sha512 key after installing nsupdate, guessing or stealing the key 
from a substantially more hardened machine, and figuring out which 
RFC1918 interface on which nameserver allows updates. At which point all 
the attacker could do would be to add or remove a TXT record for a label 
that is only used for ACME validation.


So no, I do not use the sort of simplistic security that causes BIND to 
whine every time it loads its config and despite my longtime nickname, I 
am not a total clown.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 12:32 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 10:40, Jim Popovitch via mailop wrote:
> 
> > You allow nsupdate from your cgi/php/java enabled webserver(s)?
> 
> My **what?*** Are you high? Do you mean to be insulting???

Of course not.  I only asked a simple question.  You plus-one'd a
solution in a thread about using LE for a website.

> 
> But no, I don't run anything on my webserver that modifies its own
> DNS. 

Ok, thanks.  It seemed like you were recommending acme.sh + nsupdate for
 https://chilli.nosignal.org/


-Jim P.

N.B. please don't CC me, I'm subscribed to the list.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 
On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:

> N.B. please don't CC me, I'm subscribed to the list.

I normally wouldn't, but your posts all have this header:

   Reply-To: Jim Popovitch 

Perhaps that's being added by Mailman for some reason...

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 13:18 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
> > N.B. please don't CC me, I'm subscribed to the list.
> 
> I normally wouldn't, but your posts all have this header:
> 
>    Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Ahh, you are correct.  Mailman populates Reply-To when it munges a post
from a DMARC enabled domain.  IIRC this was done to preserve the
original address in a form that would make it to most end-user MUAs.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 29/10/2018 19:44, Frands Bjerring Hansen wrote:

> Noel, 
> 
> LE does not insist on certbot. They recommend it, and why wouldn't they? :) 
> 
> Use acme.sh instead if you are not able adhere to the requirements of 
> Certbot. Acme.sh requires nothing but sh.
> 
> Also, it seems like you did not properly read about ways to address the 
> problems you mention. Instead of having a webserver you could do DNS 
> validation. Acme.sh already supports a ton of DNS implementations: 
> https://github.com/Neilpang/acme.sh/tree/master/dnsapi- and if yours is 
> not there, it's easy to write an implementation.

I will look into acme.sh for the Mx's as I see it has an nsupdate
method, MX certs dont expire for 2 months so I have plenty time, the few
websites that use SSL though starting expired a few days ago now, so
were more time critical to sort out last week, after giving up on
certbot and trying Crypt::LE (since I know perl) it did what we needed
easily right away, it took all of 5 mins to write the automation
processes and test them. 

I just wish LE had better docs.. oh well... one day maybe...

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 30/10/2018 03:18, Bill Cole wrote:

> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
>> N.B. please don't CC me, I'm subscribed to the list.
> 
> I normally wouldn't, but your posts all have this header:
> 
> Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Nope,  Jim is forcing that, not mailman, I just use reply to all which
roundcube sees it as reply to list, and only replies to list (in all but
some unusual cases) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 30/10/2018 09:29, Noel Butler wrote:

> On 30/10/2018 03:18, Bill Cole wrote: 
> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
> N.B. please don't CC me, I'm subscribed to the list. 
> I normally wouldn't, but your posts all have this header:
> 
> Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Nope,  Jim is forcing that, not mailman, I just use reply to all which
roundcube sees it as reply to list, and only replies to list (in all but
some unusual cases) 

scratch that.. my knowledge of mailman is a bit out-dated :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop