NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: create keys and certificates for postfix/tls



On Mon, 29 Feb 2016, Martin Husemann wrote:
I am currently using free certificates from StartSSL.

Interesting that they even offer such a thing. I had to look them up.

I looked at letsencrypt, but I couldn't make any sense of it - can somebody explain (from an admin point of view) how that is supposed to work?

It's a science project, for sure. I was playing with it recently under FreeBSD. My impression of how it's supposed to work is this:

1. You install a Python script using git.

2. You run the script and it tries to autoconfigure for your system. It's
   a script, so of course, that's mostly going to fail. The script tries
   to detect things like your cert locations in your Apache config. It
   does claim to be able to manage raw certs.

3. The script in conjunction with back-end tools on their site checks
   your domain's TXT records for an x509 special record with some special
   sauce to auth your CSR or whatever.

Of course I will NOT install arbitrary 3rd party server side software
(where my server OS isn't even officially supported) to handle
important things like certificate renewals when it is a very simple
task to do just once a year.

Their intention is, I believe, for you to run this Python script every day until the end of time and it'll handle cert updates automagically. They don't issue certs for any longer than 90 days as far as I can tell. So, I'm guessing you'll be doing a lot of updating and it'd definitely need to work. They have a protocol for the crypto ops called ACME. So, I suppose the Python script is the first (and only?) implementation of that.

Given all the hype about it, I am sure I must be missing something. What is it?

My take is that it's a way to get a quick domain cert if you have control over your domain's DNS. I don't like the script-approach since it threw all kinds of warnings and errors, then failed to work under FreeBSD, I'm guessing it'll fail even worse for NetBSD.

In short, Linux Foundation + overly ambitious python script = meh.

-Swift







Home | Main Index | Thread Index | Old Index