💾 Archived View for station.martinrue.com › sirwilburthefirst › 6d7f684906494bd3b0ab49254702c56b captured on 2023-11-14 at 10:22:01. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

🚧 View Differences

-=-=-=-=-=-=-

👽 sirwilburthefirst

I'm trying to change from a Let's Encrypt certificate to a self-signed certificate (I didn't know you could use self-signed).

When I changed my cert Lagrange gave an error that the cert was not one it trusted and the server didn't announce a change.

Does Gemini have a way to announce a cert change that I didn't know about? Any help here would be appreciated. Thanks!

2 years ago

Actions

👋 Join Station

7 Replies

👽 skyjake

I would recommend a self-signed 10+ year certificate for Gemini. TOFU is the method suggested in the spec, but because this is up to clients to decide I would assume many don’t do CA-based verification.

The worst situation in general is when a capsule has a scheduled renewal a la Let’s Encrypt, because visitors will then have to be constantly re-trusting the certificate, except for those who support CA verification. · 2 years ago

👽 sirwilburthefirst

@skyjake Thanks so much! Last question, in your opinion is it better to use a CA or self-signed cert or is it the same? Coming from the web this experience is unusual to me so wanting some opinions. · 2 years ago

👽 skyjake

1) Yes, but only if the trusted root CA certs have been configured in Preferences > Network. In the latest version the prebuilt binaries have these built-in, but otherwise it’s up to user to provide the root certs.

2) Yes, normal TOFU. · 2 years ago

👽 sirwilburthefirst

@skyjake: Thanks! Couple of more questions so I understand the nuance:

1. Does Lagrange automatically trust changed CA certs?

2. Does Lagrange trust self-signed certs when you visit for hte first time (not changed)?

I think (2) is probably "yes" because I've never seen the warning on sites I've visited before. · 2 years ago

👽 skyjake

Lagrange doesn't automatically trust changed self-signed certificates. You'll always need to mark them as trusted manually via the Page Information dialog. · 2 years ago

👽 sirwilburthefirst

@skyjake Hm, not sure I follow. How does that cause Lagrange to accept the cert? · 2 years ago

👽 skyjake

The protocol doesn't address this issue. Any announcements about certificate changes have to be made manually via other means, like posting here on Station. 🙂

I think usually people make a gemlog post about the change and submit the post to Antenna. · 2 years ago