๐พ Archived View for bbs.geminispace.org โบ u โบ michaelnordmeyer โบ 4549 captured on 2023-09-08 at 17:23:51. Gemini links have been rewritten to link to archived content
โก๏ธ Next capture (2023-09-28)
-=-=-=-=-=-=-
Re: "How many here use the same TLS certificate on their gemini..."
@supernova AFAIK Let's Encrypt only supports three months durations for security reasons.
Gemini doesn't support the chain of trust you have on the webs. Instead, it's trust-on-first-use. So any valid certificate will suffice as clients automatically trust valid ones, even self-signed ones.
If a certificate returned form a known (=visited) server changes, the client should display an alert. The user can then decide to again trust this new certificate and the client will subsequently silently accept this new certificate.
So it's not very secure in absolute terms. But you can get a secure transport, if the first certificate you (automatically) trusted was the proper one while having a very long expiration date.
2023-08-19 ยท 3 weeks ago
@Morgan is set the parameter reuse_key = True in renewal.conf, that seems to keep the same cert data so that the hash does not change
@Supernova I believe this only requires the parameter reuse_key = True in the config. It is not possible to create long expiring certs with Letsencrypt, the expire time is automatically 3 months, you cannot change that
for those using LE, are you copying your keys to the user running your server? I ask because after using certbot, the directory holding the LE certs is not viewable by a regular user on my machine.
I copy the files with sudo and access them with the user the server is running under
@alexlehm Oh there is a runtime option, and I use docker certbot so I think I can use it this way:
docker compose run --rm certbot renew --reuse-key
I will see what happens next month upon renewal ๐
I see the purpose as different. The point of minting a key is to have a centralised chain of trust. I think the key life times are for the CA to validate or audit the keys. CRLs are not always effective, so everything must have a lifetime.
In Gemini, it's TOFU so the utility of a lifetime and of minting are both limited and across purposes.
2023-08-20 ยท 3 weeks ago
How many here use the same TLS certificate on their gemini server that they get for their web server? I found it not too hard to setup. I am surprised I don't see more gemini capsules doing the same.
๐ฌ Supernova ยท 13 comments ยท 2023-08-19 ยท 3 weeks ago ยท #certificates