-
mimi89999
Establishing a secure connection from lebihan.pl to emevth.no-ip.biz failed. Certificate hash: f23518f572dd1897e6ae2a24b5aafeac630b06337e6ec6de30eac4a4a21d7ee4. Error with certificate 0: certificate has expired. Establishing a secure connection from lebihan.pl to conference.gajim.org failed. Certificate hash: ebcda38cd840bd2cb0e3e1623004b63481129107b44aa962ce4b122258a68528. Error with certificate 0: certificate has expired.
-
smooth_op
down with certificates
-
moparisthebest
smooth_op: what do you replace them with
-
smooth_op
a firm handshake with eye contact
-
Sapotaceae
no blood pact?
-
smooth_op
lol. i wish there was a better way but free 3-month certs will have to do.
-
Zash
next step is 3-day certs
-
jonas’
you joke
-
Zash
jonas’, https://www.rfc-editor.org/rfc/rfc8739.html
-
Zash
convergence of certificates and oscp pretty much✎ -
Zash
convergence of certificates and ocsp pretty much ✏
-
Zash
(have you ever noticed that it is *impossible* to type the acronym for Online Certificate Status Protocol correctly on the first try?)
-
moparisthebest
Also when you get it wrong it's the acronym for some security certification
-
Zash
actually nice would be to have raw public keys and DANE stapling, but nice things are of course unavailable as usual
-
smooth_op
...until some consortium says even those keys need to be rotated every 3 months
-
smooth_op
and isn't dane+dnssec fighting a similar battle like ipv6? the Don't Break the Internet battle?
-
Zash
huh? unfavorable deployment characteristics of the "it won't work until everyone has it" sort, sure
-
moparisthebest
ah yes I hate the evil consortium that solved TLS on the internet and made most of the net encrypted and usable
-
moparisthebest
oh wait no I don't that would be ridiculous lol, you don't remember getting TLS certs before acme/letsencrypt? living nightmare
-
Zash
but only once per year!
-
moparisthebest
once per year and then everytime you added a new domain, also no one could afford wildcards
-
moparisthebest
don't forget needing to do SNI because you couldn't afford multi-domain certs
-
Zash
I don't remember SNI from that time
-
smooth_op
oh, what LE did for the internet was/is awesome. the catch was now we have to be 4 times as diligent
-
Sapotaceae
"just automate it"
-
moparisthebest
Not really, now you set it up once and it's good forever
-
moparisthebest
Vs forgetting the manual steps every year
-
Zash
dunno about you but dealing with certbot is a nightmare for me
-
smooth_op
because inevitably, certbot or cron stopped working but since we were smart and setup automation, we devoted less attention
-
Zash
"Hello, I am certbot and today I'm going to start putting your certs into example.com-0001 instead!"
-
moparisthebest
I took one look at certbot, saw a pile of python, went with acme.sh and haven't had a problem since
-
ernst.on.tour
I use getssl.sh, also no problem 🤷🏼♂️ Than a little bit of shell-magic and the right plugin in prosody to "curl" a msg if ssl-still-alive-time is less then 20 days. (Default ssl will be renewed if less then 30 days)
-
Link Mauve
Who here operates this FXTIA bot which joined every room listed?
-
Link Mauve
And what is its purpose?
-
FXTIA
me
-
Link Mauve
Oh, since your JID said bot I thought you were a bot. ^^
-
FXTIA
Lunk Mauve check your PM