XMPP Service Operators - 2022-02-22


  1. Sapotaceae

    expat update is in fedora updates-testing for f34 and f35

  2. Sapotaceae

    dnf update --refresh --enablerepo=updates-testing expat *xml*

  3. Licaon_Kter

    Wow https://social.tchncs.de/@trashserver/107836342028385529

  4. Martin

    > Establishing a secure connection from mdosch.de to muc.poez.io failed. Certificate hash: 0206e623a7a8b86bdc6be15f3fd481ac5903a4b387f0c390dc47aac228688d48. Error with certificate 0: certificate has expired.

  5. Maranda

    👮👮👮

  6. Maranda

    Our friendly neighbor cert officer

  7. Martin

    😁

  8. Martin

    Just put all your xmpp services on o.j.n and I have a quiet time. 😃

  9. mimi89999

    croax, Licaon_Kter: You can use the `validationmethods` CAA parameter to limit allowed validation methods

  10. mimi89999

    Example `letsencrypt.org; validationmethods=dns-01`

  11. Licaon_Kter

    List of all methods?

  12. mimi89999

    > List of all methods? Licaon_Kter: what do you mean? What are the allowed methods?

  13. Licaon_Kter

    Yes...so dns-01 and?

  14. croax

    Licaon_Kter: seems like RFC only defines issue, issuewild, iodef https://www.rfc-editor.org/rfc/rfc8659.html There's an extension for this only param in https://datatracker.ietf.org/doc/html/rfc8657#section-4

  15. croax

    Which refers to existing methods https://datatracker.ietf.org/doc/html/rfc8555#section-9.7.8 http-01 | dns dns-01 | dns tls-sni-01 | RESED tls-sni-02 RESERVED

  16. mimi89999

    Licaon_Kter: `http-01`, `dns-01` and `tls-alpn-01` for Let's Encrypt.

  17. Licaon_Kter

    So acme.sh static method is which exactly?

  18. mimi89999

    Licaon_Kter: The `.well-known`?

  19. croax

    Licaon_Kter: acme.sh is probably http-01 as running a standalone webserver

  20. croax

    dns-01 need access to write a TXT in targeted zone, more complex set-up.

  21. croax

    dns-01 need access to write a TXT in targeted DNS zone, more complex set-up.

  22. Licaon_Kter

    mimi89999: no, my bad, not static, https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode

  23. mjk

    Still .well-known, so http-01, no?

  24. Licaon_Kter

    I guess, right

  25. Licaon_Kter

    Reading it, it might be already protected from this attack since they can't use the account to generate the new certs?

  26. croax

    Licaon_Kter: just register another account. You can't block anything with registration on LE.

  27. mjk

    Yeah, I think a domain isn't bound to an ascount, nor to an email address

  28. mjk

    Yeah, I think a domain isn't bound to an account, nor to an email address

  29. Licaon_Kter

    Oh ffs

  30. mjk

    I had to create new accounts multiple times for my domain, although I think I used the same email...

  31. Licaon_Kter

    Yes, I know So > Example `letsencrypt.org; validationmethods=http-01` ...is useless

  32. mjk

    As an attack mitigation, seems like it

  33. mimi89999

    What would that mitigate against?

  34. mimi89999

    But limiting validation methods to dns might protect against BGP hijacking

  35. mimi89999

    Still a very unlikely attack, but possible. Was that the first time BGP was used to obtain a TLS cert?

  36. Licaon_Kter

    > What would that mitigate against? This > But limiting validation methods to dns might protect against BGP hijacking ;)

  37. mjk

    Oh wait, it's about placing restrictions _into dns_. So if you had dnssec on your domain, you could forbid certain validation methods

  38. mjk

    Including forbidding ACME entirely, probably ;)

  39. mjk

    Including forbidding cert issuance entirely, probably ;)

  40. croax

    dns-01 method: so you need to provide write access token to the DNS zone from the host which runs certbot. The cure is worse that the disease, no?

  41. croax

    dns-01 method: so you need to provide a write access token to the DNS zone from the host which runs certbot. The cure is worse that the disease, no?

  42. jonas’

    a good DNS provider will let you restric that token to only have write access to the _acme-challenge TXT record

  43. jonas’

    (and you might be able to leverage a CNAME to help you with that)

  44. croax

    jonas’: thanks. Searching if this is possible here.

  45. jonas’

    croax, if it only allows you to restrict to a sub-zone, e.g. foo.example.com, but without restricting record type, I'd suggest to go with a _acme-challenge.domain.example CNAME _acme-challenge.foo.domain.example and let the token manage foo.domain.example

  46. croax

    jonas’: Great, good advice. I had a look at OVH API in "zone". It seems access token can only be restricted by URL prefix path... but {zone} seems to provide unlimited access to names and sub domains. https://api.ovh.com/console/?#/domain/zone/ If anyone knows...

  47. mimi89999

    croax, jonas’: I wrote https://github.com/xivlo-sysadmins/dns-api especially for that purpose since I'm selfhosting DNS, but on a separate host.

  48. mimi89999

    You can restrict a client to only a subdomain and field type.

  49. mimi89999

    You can restrict a client to specific subdomains.

  50. Menel

    I'm doing the DNS challenge semi-manual.. Getting the generated txt secrets I've to insert via xmpp from a script, but I'm setting the records every few month myself.

  51. moparisthebest

    I have the DNS challenge with acme.sh working for quite awhile now, I have a trash domain on cloudflare that my real domain's _acme-challenge CNAME to, and acme.sh has a plugin to update that for my

  52. Rijul

    I'm working on a plugin for Caddy (reverse proxy) to spin up a temporary DNS server to respond to these CNAME'd DNS challenges

  53. Sapotaceae

    at what point does caddy become systemd?

  54. moparisthebest

    Rijul: will it also do DNSSEC though?

  55. Rijul

    That's the plan

  56. moparisthebest

    nice! it'd be great to have something like that stand-alone that didn't involve setting up all of bind9