From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id 8EtlJ6EDHGaIaAAAe85BDQ:P1 (envelope-from ) for ; Sun, 14 Apr 2024 18:26:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 8EtlJ6EDHGaIaAAAe85BDQ (envelope-from ) for ; Sun, 14 Apr 2024 18:26:09 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b="A9VoupI/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713111969; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=n8ESrVV/stJnZYHmRtivQnv9Rw0yOxf2Yy82VA9dkNQ=; b=teQpSvLeIdxBj9i6R/2zfyS7pD94AI5GrQ8vSEbRQEFekJjDVnxnebnZa1urAp0wtnwUls oVvTzEeHmL/X7fxeqCmfSux/JZYb0lbp5npFeHdHQEVkSeUZnym69GoCLaCKHpv2XtNayD jzj6sFYoRIlfI+u6uE6HmYd3WmEfQHjxaL0UjzGAaoo7qwlNDjTYJt0dAsDCjoXvAi9cCB 6j+Sq+X3u0tvPRKM2wYu2gmh5I83ACSIS44ykTNmYu0p1Z/3cN71EzXVh0jAbwKVKbTw+y Wuehf03cHhWNuK4FS+U7jyvlC/CmdkxDxaloH8FQEu/cEnwMW6B8h8X6noddjQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b="A9VoupI/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713111969; a=rsa-sha256; cv=none; b=CMszogGJiEtzQOuapY+lIWDeNCrc6xXVpiOq+IdG/USQsk48AHaK7VNrgWs8chgf8S9dsa +9MNwOlYO7W1yMcPvR6yuUktCWVVEDvxRfGS7o0+Xc8uz5vulGFyktq0zFZL72LfOS2i2J bO9BLVoDho7KW4wKt5yYesnO+dcx4R50z/ufdxlEVsPJryqwsLjyR+OY06FtB/PNa8TnuS Nn8fhfQ+vjlq9rAt0uMQ5fs0laWCRU3MgjDHnvQqYWaJVqgvoziJ9QrU/odNgQX/k8QIog TiomNNMo1LLcXuFmINpjiXXI/R3LRR5gIXEc3Sbte1d7ZHc3QvA4Y0CB/r4KoA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5CD7074AA8 for ; Sun, 14 Apr 2024 18:26:09 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rw2fs-00053V-86; Sun, 14 Apr 2024 12:25:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rw2fp-00053D-H4 for guix-devel@gnu.org; Sun, 14 Apr 2024 12:25:46 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1rw2fn-0006pz-IQ for guix-devel@gnu.org; Sun, 14 Apr 2024 12:25:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=alwGmn5VlWkhXDu NY2Bqmd5jFpNCteu5ypbJGv5vSP0=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=A9VoupI/7zjdajwsOpJUtSlME11IzDCwh9iiRSVK E4931L8IVmsrZnbqjgrrjpg9Lxozvcow527HB6sceUMEQ4pv2aemhvu1fz+HV/CnF4WUtC 6NnNzv+u8le+kTjDIxMmUQpaUUskCvI3gIa7pqQjCrFcGarVqY91K0hdmMyLM= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 12a21266 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Sun, 14 Apr 2024 16:25:39 +0000 (UTC) To: Carlo Zancanaro Cc: =?utf-8?Q?Cl=C3=A9ment?= Lassieur , guix-devel@gnu.org Subject: Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx In-Reply-To: <87sezovypt.fsf@zancanaro.id.au> References: <875xzanaer.fsf__22488.5524179385$1706626282$gmane$org@lease-up.com> <8734uevcf3.fsf@lassieur.org> <871q7a2h8y.fsf@lease-up.com> <87sezovypt.fsf@zancanaro.id.au> Date: Sun, 14 Apr 2024 09:25:38 -0700 Message-ID: <87y19f29od.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.53 X-Migadu-Scanner: mx11.migadu.com X-Spam-Score: -6.53 X-Migadu-Queue-Id: 5CD7074AA8 X-TUID: Orz00w+z6J3S Hi Carlo, Thanks for fixing the Cc: addresses. I should not have included the bug filing address in my reply. On Sun, Apr 14 2024, Carlo Zancanaro wrote: > We could avoid generating unnecessary self-signed certificates by first > checking if we already have certificates from certbot, and creating the > symlink straight away if we can. That would seem wise to me. > The current code uses the rsa-key-size from the > , or 4096 if that is unset (the default). This > is probably [excessive] given we don't actually need, or want, to use > the initial certificates. > > We could instead use the smallest key size that openssl supports (512?). Like you, I asked myself why those self-signed certificates, which are mostly useless, would be 4096-bit strong. I am more offended, however, that they were generated with a lifetime of just one day. What happens if certbot is not yet configured, and the sysadmin forgot to do so for a few days? A long time span, such as ten years (3650 days) might be more appropriate for the fallback certificates. By the way, in Debian we call them "snake oil". I believe they are present on all systems. Kind regards Felix