On 2021-05-13 13:05, Andreas Fink wrote:
Jeroen Massar wrote on 13.05.21 10:46:
On 2021-05-13 11:29, Andreas Fink wrote:
Hello all,
I need to get some SSL certificates for some african country operations
and i can unfortunately not use letsencrypt for this.
Any reason? What are your requirements?
the mailserver I use, does not support ACME setup. I can only do old
style SSL certificate requests.
for the webserver its not an issue though.
You could get the certs from LE/ZeroSSL every 90 days and replace them
by hand.... does not scale, but works ;)
But there are thousands of CAs, just check the list.
Would ZeroSSL (https://zerossl.com) who also do ACME work?
No. ACME is the issue. And ZeroSSL is hosted in the US on cloudflare
with a cloudflare SSL certificate. So by definition not DSGVO conform as
NSA could theoretially infiltrate cloudflare to infliltrate all my certs
etc. etc. It might be far fetched but since snowden, we know that many
things we considered far far far fetched are not anymore.
You have the private key and that does not leave the box unless you do
that, thus unless there is some crypto that is broken, they can't do
much with that. If they have broken crypto some way, then it applies to
everything and we are generally screwed. I am not aware of such a thing
at this point in time.
All certs are logged in Certificate Transparency (see for instance
https://ct.cloudflare.com/) thus the source should not matter.
The US unfortunately is where most corporations&monopolies are based;
companies in the rest of the world fall under bilateral exchange laws.
Thus if one is afraid of the US, it is game over, one will have to
disconnect from this Internet thing as their influence
(code/hardware/legal/people) is everywhere.
For me at least that is not a threat, your model might include it it seems.
You more have to be afraid of the Googles of the world, considering they
control the browser trust store:
https://thehackernews.com/2017/07/chrome-certificate-authority.html
as a quick random example...
(yes people, Let's Encrypt is not the only game... if you do ACME for
your systems, also setup zero ssl and issue certs from both places at
the same time, just in case LE ever has an issue, though that will be
resolved rather quickly with 72% marketshare (https://ct.cloudflare.com)
Cloudflare's juristiction is definitively a red flag for me.
As above, I'll give a little link:
https://www.coe.int/en/web/criminal-law-coop/bilateral-cooperation
US law is enforced everywhere, we (.ch) fortunately/hopefully have
judges that protect from overreach though.
I was trying to
get a certificate from Swissign for this but for some reason they refuse
issuing certificates to domains for Guinea and Guinea Bissau
Do you need org validated or something that the country matters?
no. I simply need the domain be in that country.
The holder of the domain can be myself in switzerland or one of the
entities in Africa which is not on the blacklist (which is actually what
I tried). Swisssign put the certificate under embargo because the domain
ending contained .gw and .com.gn. Thats all.
And I don't want to buy a domain for every mailserver separately, thats
why I want a multidomain certificate. As it has to be renewed every
years its painfully enough already.
Sounds like upgrading software or fronting it with a proxy is the way to
go, as then you can do like the rest of the world (well 72%): LE....
An alternative option would be to use DANE/TSLA, then you can provide a
self-signed certificate. Watch out with setting up MTA-STS in that case
though.
At that point though, you already have new software that should be able
to handle ACME certificates (read: being able to reconfigure the SSL
cert in a scripted manner).
Greets,
Jeroen
PS: Don't hesitate to provide details of the setup off-list and we can
see what we can do if you want to go the LE route.
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
