From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 68E901382C5 for ; Tue, 1 Jun 2021 13:18:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0FF1CE0843; Tue, 1 Jun 2021 13:17:37 +0000 (UTC) Received: from turkos.aspodata.se (turkos.aspodata.se [185.140.117.226]) by pigeon.gentoo.org (Postfix) with ESMTP id 494ADE0826 for ; Tue, 1 Jun 2021 13:17:36 +0000 (UTC) Received: from turkos.aspodata.se (localhost.aspodata.se [127.0.0.1]) by turkos.aspodata.se (Postfix) with ESMTP id 529E682B8F88 for ; Tue, 1 Jun 2021 15:17:35 +0200 (CEST) Received: by turkos.aspodata.se (Postfix, from userid 1000) id 432D082B8F89; Tue, 1 Jun 2021 15:17:35 +0200 (CEST) X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7+dev X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: inbox From: karl@aspodata.se To: gentoo-user@lists.gentoo.org Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) In-reply-to: References: <20210529030839.123d8526@melika.host77.tld> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> <20210601104447.D7EA282B8F89@turkos.aspodata.se> <2212846.ElGaqSPkdT@iris> Comments: In-reply-to Michael Orlitzky message dated "Tue, 01 Jun 2021 07:40:28 -0400." Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 Content-Type: text/plain Message-Id: <20210601131735.432D082B8F89@turkos.aspodata.se> Date: Tue, 1 Jun 2021 15:17:35 +0200 (CEST) X-Virus-Scanned: ClamAV using ClamSMTP X-Archives-Salt: 042faaac-4ad8-49b7-ac08-ea85aab50133 X-Archives-Hash: 374262696557f5d5f1cacffe69318d2c Michael Orilitzky: ... > * The LetsEncrypt certificates expire after three months, as opposed  > to 10+ years for a self-signed certificate. You're supposed to  > automate this... by running a script as root that takes input from  > the web? I'd rather not do that. You can run most part of it as an unpriviliged user, here is my crontab: 0 0 1 * * acme /usr/local/sbin/acme_update.sh 10 0 1 * * root cat /etc/acme-tiny/domain.key /var/acme-tiny/signed_chain.crt > /etc/lighttpd/server.pem 20 0 1 * * root /etc/init.d/lighttpd restart One could add a check to make sure that the downloaded crt is sensible. > * LetsEncrypt verifies your identity over plain HTTP (like every other  > commercial CA), so it's all security theater in the first place. ... Ack. Regards, /Karl Hammar