💾 Archived View for station.martinrue.com › sirwilburthefirst › 6d7f684906494bd3b0ab49254702c56b captured on 2023-11-14 at 10:22:01. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-05-24)
-=-=-=-=-=-=-
I'm trying to change from a Let's Encrypt certificate to a self-signed certificate (I didn't know you could use self-signed).
When I changed my cert Lagrange gave an error that the cert was not one it trusted and the server didn't announce a change.
Does Gemini have a way to announce a cert change that I didn't know about? Any help here would be appreciated. Thanks!
2 years ago
I would recommend a self-signed 10+ year certificate for Gemini. TOFU is the method suggested in the spec, but because this is up to clients to decide I would assume many don’t do CA-based verification.
The worst situation in general is when a capsule has a scheduled renewal a la Let’s Encrypt, because visitors will then have to be constantly re-trusting the certificate, except for those who support CA verification. · 2 years ago
@skyjake Thanks so much! Last question, in your opinion is it better to use a CA or self-signed cert or is it the same? Coming from the web this experience is unusual to me so wanting some opinions. · 2 years ago
1) Yes, but only if the trusted root CA certs have been configured in Preferences > Network. In the latest version the prebuilt binaries have these built-in, but otherwise it’s up to user to provide the root certs.
2) Yes, normal TOFU. · 2 years ago
@skyjake: Thanks! Couple of more questions so I understand the nuance:
1. Does Lagrange automatically trust changed CA certs?
2. Does Lagrange trust self-signed certs when you visit for hte first time (not changed)?
I think (2) is probably "yes" because I've never seen the warning on sites I've visited before. · 2 years ago
Lagrange doesn't automatically trust changed self-signed certificates. You'll always need to mark them as trusted manually via the Page Information dialog. · 2 years ago
@skyjake Hm, not sure I follow. How does that cause Lagrange to accept the cert? · 2 years ago
The protocol doesn't address this issue. Any announcements about certificate changes have to be made manually via other means, like posting here on Station. 🙂
I think usually people make a gemlog post about the change and submit the post to Antenna. · 2 years ago