XMPP Service Operators - 2023-10-24

has anyone set up CAA's tying to a specific letsencrypt account yet? and if so, do you know how to get the account id from acme.sh :'(

also I've seen different formats for CAA iodef, should it be email@example.org or mailto:email@example.org ?

email should have mailto

`certbot show_account` prints an account url

it'll contain api.letsencrypt.org somewhere

check wwhereever acme.sh stores its stuff

ok this prints a URL that's probably right: acme.sh --update-account --server letsencrypt

any examples of restricting validationmethods *and* accounturi ? there's a ; after the domain, but does that seperate each? :)

found an example where each is seperated by '; ' so guess I'll try it

``` issue "letsencrypt.org; validationmethods=http-01; accounturi=https://ENDPOINT.api.letsencrypt.org/acme/acct/NUMBER" iodef "mailto:caa@domain.tld" ``` I recommend keeping the uri at the end so no need to worry about ; parsing

octagon, why do you have your flags set 0 instead of 128 ? (ie setting the critical bit that tells CAs to not issue if they don't understand something)

the critical flag isn't used yet afaik

this mentions it: https://letsencrypt.org/docs/caa/#what-to-put-in-the-record

interesting

moparisthebest: > and if so, do you know how to get the account id from acme.sh :'( `~/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/ca.conf` see `ACCOUNT_URL`

singpolyma: odd to see different output for different domains (issues), I mean for one it complains about "for these but not for <input>", for another it says about DNSSEC, for other said about putting TLSA in DNS I was expecting some sort of consistency, for the main part, then add the extra stuff. For now, I'm not sure how a "good" result looks like :))

do any clinets check tlsa records?

octagon, none that I know, but I may be wrong

singpolyma: error 504 now

Licaon_Kter: once you add the TLSA records it tells you to add you can see what a good result is like. You can check what it says for cheogram.com for example

I looked at jmp.chat :))

Yeah, that one isn't public on xmpp so I don't think I finished setup on it yet

Well, it is public but no one else is using it, heh

singpolyma: you see the 502 errors right?

emus: are they happening again? I can look when I get home

I heard from another dev

singpolyma: said it was last night. so before the last 12 hours

If anyone else wants a CAA template to copy I think `dig caa moparisthe.best` is right but of course I won't know for sure until my cert tries to renew :D thanks for the help octagon

moparisthebest: didn't you try with staging?

Licaon_Kter: https://upload.canchat.org:5281/file_share/X-CL96W5kWZbfsHXyrzJvGxf/ufH3q6jLTKagpWzLDMAOsQ.jpg

I didn't say deploy, wtf? I said use LE staging server to get certs. And/Or block certs generation...

Licaon_Kter: no I'm saying that book is what I did :D

I'll have 30 days to fix it if it goes wrong... 🙏

:))

> If anyone else wants a CAA template to copy I think `dig caa moparisthe.best` is right but of course I won't know for sure until my cert tries to renew :D thanks for the help octagon Could try with --dry-run?

At least for certbot

acme.sh doesn't :)

😇

acme.sh --issue --staging ...

> acme.sh --issue --staging ... Exactly

Right, could have, but didn't

I always forget to use staging until it's too late

http://blog.jmp.chat/b/certwatch/certwatch

Do you know what happend with creep.im? The warrant canary is outdated.

You could ask a@creep.im if they forgot, or....

Doesn't work anymore.

Well that service is on the blocklist for spam, so maybe the server where you're writing from also blocks creep.im.

Menel, Could you give me the list?

https://github.com/JabberSPAM/blacklist/blob/master/blacklist.txt

> https://github.com/JabberSPAM/blacklist/blob/master/blacklist.txt Thank you. It seems like last year he also skipped one. Maby he has other things on his plate. We will wait until the end of the year. . > Well that service is on the blocklist for spam, so maybe the server where you're writing from also blocks creep.im. I'm gonna send him one from danwin1210.de Thank you very much Menel. You help a lot of people in here.

Maybe they're actually co-opted

You know any real life examples where they could force somebody to update the canary, octagon ?

github is completely broken for me

I wish the XSF would use literally anything else other then Micro$oft services for hosting this kind of stuff

nuegia.net: this is not hosted by the XSF

this is unofficially maintained by xmpp service operators

at this point github has gotten so bad we need a alternative frontend project for it like invidious, nitter, and bibliogram

nuegia.net: gitlab dot com is worseR on every level

sourcehut is an option

or even just a plain http webserver would be better then micro$oft

i’m curious what’s broken on github for you

> nuegia.net: gitlab dot com is worseR on every level I tought I'm the only one who feels that way.

i don't know about worse but gitlab is pretty bad too

if gitlab works at all, most of the time it doesn't it causes the fans to scream on my computers and bogs down my web browser

I have to enable javascript even to see the menus.

oh no the evil javascript