* certbot-service wildcard support @ 2018-08-04 7:59 Nils Gillmann 2018-08-04 9:34 ` Clément Lassieur 0 siblings, 1 reply; 6+ messages in thread From: Nils Gillmann @ 2018-08-04 7:59 UTC (permalink / raw) To: guix-devel Hi, recently letsencrypt added support for wildcard certificates. Since we concluded that it would be a good idea for Taler to just use that instead of roughly 30 - 40 subdomain certificates: Does our certbot-service support the wildcard functionality? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: certbot-service wildcard support 2018-08-04 7:59 certbot-service wildcard support Nils Gillmann @ 2018-08-04 9:34 ` Clément Lassieur 2018-08-04 9:47 ` Nils Gillmann 0 siblings, 1 reply; 6+ messages in thread From: Clément Lassieur @ 2018-08-04 9:34 UTC (permalink / raw) To: Nils Gillmann; +Cc: guix-devel Nils Gillmann <ng0@n0.is> writes: > Hi, > > recently letsencrypt added support for wildcard certificates. > > Since we concluded that it would be a good idea for Taler to > just use that instead of roughly 30 - 40 subdomain certificates: > > Does our certbot-service support the wildcard functionality? It doesn't, because it doesn't support DNS challenges. I tried to add support for DNS challenges, but I stopped because my DNS provider (Namecheap) doesn't have an API to update DNS records. (Well, it does, but the API has access to everything and I can't afford the security risk.) The problem with DNS challenges is that there is no universal way to update the records. It depends very much on the provider (unless you host your DNS zone). I packaged PYTHON-DNS-LEXICON though, it might help if you want to work in this. Clément ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: certbot-service wildcard support 2018-08-04 9:34 ` Clément Lassieur @ 2018-08-04 9:47 ` Nils Gillmann 2018-08-04 9:56 ` Clément Lassieur 0 siblings, 1 reply; 6+ messages in thread From: Nils Gillmann @ 2018-08-04 9:47 UTC (permalink / raw) To: Clément Lassieur; +Cc: guix-devel, Nils Gillmann Clément Lassieur transcribed 847 bytes: > Nils Gillmann <ng0@n0.is> writes: > > > Hi, > > > > recently letsencrypt added support for wildcard certificates. > > > > Since we concluded that it would be a good idea for Taler to > > just use that instead of roughly 30 - 40 subdomain certificates: > > > > Does our certbot-service support the wildcard functionality? > > It doesn't, because it doesn't support DNS challenges. > > I tried to add support for DNS challenges, but I stopped because my DNS > provider (Namecheap) doesn't have an API to update DNS records. (Well, > it does, but the API has access to everything and I can't afford the > security risk.) > > The problem with DNS challenges is that there is no universal way to > update the records. It depends very much on the provider (unless you > host your DNS zone). How is that related? Or am I using certbot on Debian wrong? I simply added an entry manually. I don't even want a service to mess around with DNS, at least not unless it is required. Which in my experience it is not. You can add the entry manually, which is what we'd have done for taler. > I packaged PYTHON-DNS-LEXICON though, it might help if you want to work > in this. If you can tell me more about this, and why you think that software is required for this, then it would be in my responsibility to work on this. > Clément Thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: certbot-service wildcard support 2018-08-04 9:47 ` Nils Gillmann @ 2018-08-04 9:56 ` Clément Lassieur 2018-08-04 10:08 ` Nils Gillmann 0 siblings, 1 reply; 6+ messages in thread From: Clément Lassieur @ 2018-08-04 9:56 UTC (permalink / raw) To: Nils Gillmann; +Cc: guix-devel Nils Gillmann <ng0@n0.is> writes: > Clément Lassieur transcribed 847 bytes: >> Nils Gillmann <ng0@n0.is> writes: >> >> > Hi, >> > >> > recently letsencrypt added support for wildcard certificates. >> > >> > Since we concluded that it would be a good idea for Taler to >> > just use that instead of roughly 30 - 40 subdomain certificates: >> > >> > Does our certbot-service support the wildcard functionality? >> >> It doesn't, because it doesn't support DNS challenges. >> >> I tried to add support for DNS challenges, but I stopped because my DNS >> provider (Namecheap) doesn't have an API to update DNS records. (Well, >> it does, but the API has access to everything and I can't afford the >> security risk.) >> >> The problem with DNS challenges is that there is no universal way to >> update the records. It depends very much on the provider (unless you >> host your DNS zone). > > How is that related? Or am I using certbot on Debian wrong? I simply added > an entry manually. I don't even want a service to mess around with DNS, at > least not unless it is required. > Which in my experience it is not. You can add the entry manually, which is > what we'd have done for taler. Oh. I though it had to be updated every three months, which is why I wanted to automate it. But if it has to be updated only once, then it's not a problem. >> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work >> in this. > > If you can tell me more about this, and why you think that software is > required for this, then it would be in my responsibility to work on this. It's just a tool that automates DNS records updating, but you won't need it if the DNS record used by Certbot only needs to be updated once. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: certbot-service wildcard support 2018-08-04 9:56 ` Clément Lassieur @ 2018-08-04 10:08 ` Nils Gillmann 2018-08-04 10:17 ` Clément Lassieur 0 siblings, 1 reply; 6+ messages in thread From: Nils Gillmann @ 2018-08-04 10:08 UTC (permalink / raw) To: Clément Lassieur; +Cc: guix-devel, Nils Gillmann Clément Lassieur transcribed 1.7K bytes: > Nils Gillmann <ng0@n0.is> writes: > > > Clément Lassieur transcribed 847 bytes: > >> Nils Gillmann <ng0@n0.is> writes: > >> > >> > Hi, > >> > > >> > recently letsencrypt added support for wildcard certificates. > >> > > >> > Since we concluded that it would be a good idea for Taler to > >> > just use that instead of roughly 30 - 40 subdomain certificates: > >> > > >> > Does our certbot-service support the wildcard functionality? > >> > >> It doesn't, because it doesn't support DNS challenges. > >> > >> I tried to add support for DNS challenges, but I stopped because my DNS > >> provider (Namecheap) doesn't have an API to update DNS records. (Well, > >> it does, but the API has access to everything and I can't afford the > >> security risk.) > >> > >> The problem with DNS challenges is that there is no universal way to > >> update the records. It depends very much on the provider (unless you > >> host your DNS zone). > > > > How is that related? Or am I using certbot on Debian wrong? I simply added > > an entry manually. I don't even want a service to mess around with DNS, at > > least not unless it is required. > > Which in my experience it is not. You can add the entry manually, which is > > what we'd have done for taler. > > Oh. I though it had to be updated every three months, which is why I > wanted to automate it. But if it has to be updated only once, then it's > not a problem. The DNS entry is added once and that's it, at least from memory, and from my experience that none of my certs cried for help so far. > >> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work > >> in this. > > > > If you can tell me more about this, and why you think that software is > > required for this, then it would be in my responsibility to work on this. > > It's just a tool that automates DNS records updating, but you won't need > it if the DNS record used by Certbot only needs to be updated once. Okay. So basically it could work as-is, or is there some programming work to be done for support entries like "*.taler.net"? Thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: certbot-service wildcard support 2018-08-04 10:08 ` Nils Gillmann @ 2018-08-04 10:17 ` Clément Lassieur 0 siblings, 0 replies; 6+ messages in thread From: Clément Lassieur @ 2018-08-04 10:17 UTC (permalink / raw) To: Nils Gillmann; +Cc: guix-devel Nils Gillmann <ng0@n0.is> writes: >> It's just a tool that automates DNS records updating, but you won't need >> it if the DNS record used by Certbot only needs to be updated once. > > Okay. So basically it could work as-is, or is there some programming work > to be done for support entries like "*.taler.net"? There is some work to do so that the --webroot option is not used (instead another option should be used I guess) and the Nginx service is not run. I think entries like "*.taler.net" should be supported by the service. Thank you for working on it :-) I'd love to use the wildcard certificate. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-08-04 10:17 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-08-04 7:59 certbot-service wildcard support Nils Gillmann 2018-08-04 9:34 ` Clément Lassieur 2018-08-04 9:47 ` Nils Gillmann 2018-08-04 9:56 ` Clément Lassieur 2018-08-04 10:08 ` Nils Gillmann 2018-08-04 10:17 ` Clément Lassieur
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.