NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: create keys and certificates for postfix/tls
On Mon, 29 Feb 2016, Martin Husemann wrote:
I am currently using free certificates from StartSSL.
Interesting that they even offer such a thing. I had to look them up.
I looked at letsencrypt, but I couldn't make any sense of it - can
somebody explain (from an admin point of view) how that is supposed to
work?
It's a science project, for sure. I was playing with it recently under
FreeBSD. My impression of how it's supposed to work is this:
1. You install a Python script using git.
2. You run the script and it tries to autoconfigure for your system. It's
a script, so of course, that's mostly going to fail. The script tries
to detect things like your cert locations in your Apache config. It
does claim to be able to manage raw certs.
3. The script in conjunction with back-end tools on their site checks
your domain's TXT records for an x509 special record with some special
sauce to auth your CSR or whatever.
Of course I will NOT install arbitrary 3rd party server side software
(where my server OS isn't even officially supported) to handle
important things like certificate renewals when it is a very simple
task to do just once a year.
Their intention is, I believe, for you to run this Python script every day
until the end of time and it'll handle cert updates automagically. They
don't issue certs for any longer than 90 days as far as I can tell. So,
I'm guessing you'll be doing a lot of updating and it'd definitely need to
work. They have a protocol for the crypto ops called ACME. So, I suppose
the Python script is the first (and only?) implementation of that.
Given all the hype about it, I am sure I must be missing something. What
is it?
My take is that it's a way to get a quick domain cert if you have control
over your domain's DNS. I don't like the script-approach since it threw
all kinds of warnings and errors, then failed to work under FreeBSD, I'm
guessing it'll fail even worse for NetBSD.
In short, Linux Foundation + overly ambitious python script = meh.
-Swift
Home |
Main Index |
Thread Index |
Old Index