-
Sapotaceae
expat update is in fedora updates-testing for f34 and f35
-
Sapotaceae
dnf update --refresh --enablerepo=updates-testing expat *xml*
-
Licaon_Kter
Wow https://social.tchncs.de/@trashserver/107836342028385529
-
Martin
> Establishing a secure connection from mdosch.de to muc.poez.io failed. Certificate hash: 0206e623a7a8b86bdc6be15f3fd481ac5903a4b387f0c390dc47aac228688d48. Error with certificate 0: certificate has expired.
-
Maranda
👮👮👮
-
Maranda
Our friendly neighbor cert officer
-
Martin
😁
-
Martin
Just put all your xmpp services on o.j.n and I have a quiet time. 😃
-
mimi89999
croax, Licaon_Kter: You can use the `validationmethods` CAA parameter to limit allowed validation methods
-
mimi89999
Example `letsencrypt.org; validationmethods=dns-01`
-
Licaon_Kter
List of all methods?
-
mimi89999
> List of all methods? Licaon_Kter: what do you mean? What are the allowed methods?
-
Licaon_Kter
Yes...so dns-01 and?
-
croax
Licaon_Kter: seems like RFC only defines issue, issuewild, iodef https://www.rfc-editor.org/rfc/rfc8659.html There's an extension for this only param in https://datatracker.ietf.org/doc/html/rfc8657#section-4
-
croax
Which refers to existing methods https://datatracker.ietf.org/doc/html/rfc8555#section-9.7.8 http-01 | dns dns-01 | dns tls-sni-01 | RESED tls-sni-02 RESERVED
-
mimi89999
Licaon_Kter: `http-01`, `dns-01` and `tls-alpn-01` for Let's Encrypt.
-
Licaon_Kter
So acme.sh static method is which exactly?
-
mimi89999
Licaon_Kter: The `.well-known`?
-
croax
Licaon_Kter: acme.sh is probably http-01 as running a standalone webserver
-
croax
dns-01 need access to write a TXT in targeted zone, more complex set-up.✎ -
croax
dns-01 need access to write a TXT in targeted DNS zone, more complex set-up. ✏
-
Licaon_Kter
mimi89999: no, my bad, not static, https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
-
mjk
Still .well-known, so http-01, no?
-
Licaon_Kter
I guess, right
-
Licaon_Kter
Reading it, it might be already protected from this attack since they can't use the account to generate the new certs?
-
croax
Licaon_Kter: just register another account. You can't block anything with registration on LE.
-
mjk
Yeah, I think a domain isn't bound to an ascount, nor to an email address✎ -
mjk
Yeah, I think a domain isn't bound to an account, nor to an email address ✏
-
Licaon_Kter
Oh ffs
-
mjk
I had to create new accounts multiple times for my domain, although I think I used the same email...
-
Licaon_Kter
Yes, I know So > Example `letsencrypt.org; validationmethods=http-01` ...is useless
-
mjk
As an attack mitigation, seems like it
-
mimi89999
What would that mitigate against?
-
mimi89999
But limiting validation methods to dns might protect against BGP hijacking
-
mimi89999
Still a very unlikely attack, but possible. Was that the first time BGP was used to obtain a TLS cert?
-
Licaon_Kter
> What would that mitigate against? This > But limiting validation methods to dns might protect against BGP hijacking ;)
-
mjk
Oh wait, it's about placing restrictions _into dns_. So if you had dnssec on your domain, you could forbid certain validation methods
-
mjk
Including forbidding ACME entirely, probably ;)✎ -
mjk
Including forbidding cert issuance entirely, probably ;) ✏
-
croax
dns-01 method: so you need to provide write access token to the DNS zone from the host which runs certbot. The cure is worse that the disease, no?✎ -
croax
dns-01 method: so you need to provide a write access token to the DNS zone from the host which runs certbot. The cure is worse that the disease, no? ✏
-
jonas’
a good DNS provider will let you restric that token to only have write access to the _acme-challenge TXT record
-
jonas’
(and you might be able to leverage a CNAME to help you with that)
-
croax
jonas’: thanks. Searching if this is possible here.
-
jonas’
croax, if it only allows you to restrict to a sub-zone, e.g. foo.example.com, but without restricting record type, I'd suggest to go with a _acme-challenge.domain.example CNAME _acme-challenge.foo.domain.example and let the token manage foo.domain.example
-
croax
jonas’: Great, good advice. I had a look at OVH API in "zone". It seems access token can only be restricted by URL prefix path... but {zone} seems to provide unlimited access to names and sub domains. https://api.ovh.com/console/?#/domain/zone/ If anyone knows...
-
mimi89999
croax, jonas’: I wrote https://github.com/xivlo-sysadmins/dns-api especially for that purpose since I'm selfhosting DNS, but on a separate host.
-
mimi89999
You can restrict a client to only a subdomain and field type.✎ -
mimi89999
You can restrict a client to specific subdomains. ✏
-
Menel
I'm doing the DNS challenge semi-manual.. Getting the generated txt secrets I've to insert via xmpp from a script, but I'm setting the records every few month myself.
-
moparisthebest
I have the DNS challenge with acme.sh working for quite awhile now, I have a trash domain on cloudflare that my real domain's _acme-challenge CNAME to, and acme.sh has a plugin to update that for my
-
Rijul
I'm working on a plugin for Caddy (reverse proxy) to spin up a temporary DNS server to respond to these CNAME'd DNS challenges
-
Sapotaceae
at what point does caddy become systemd?
-
moparisthebest
Rijul: will it also do DNSSEC though?
-
Rijul
That's the plan
-
moparisthebest
nice! it'd be great to have something like that stand-alone that didn't involve setting up all of bind9