From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 920FE1382C5 for ; Tue, 1 Jun 2021 11:17:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2C5AE081E; Tue, 1 Jun 2021 11:17:15 +0000 (UTC) Received: from gw1.antarean.org (gw1.antarean.org [194.145.200.214]) by pigeon.gentoo.org (Postfix) with ESMTP id 48AB1E077D for ; Tue, 1 Jun 2021 11:17:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4FvTpX5MXHz111K for ; Tue, 1 Jun 2021 13:05:24 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from gw1.antarean.org ([127.0.0.1]) by localhost (gw1.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4expZ37Bi5y4 for ; Tue, 1 Jun 2021 13:05:24 +0200 (CEST) Received: from mailstore1.adm.antarean.org (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4FvTpX3TVXz10QT for ; Tue, 1 Jun 2021 13:05:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailstore1.adm.antarean.org (Postfix) with ESMTP id 4FvV484r5hz15 for ; Tue, 1 Jun 2021 13:17:12 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from mailstore1.adm.antarean.org ([127.0.0.1]) by localhost (mailstore1.adm.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8uC4UzQeJiR for ; Tue, 1 Jun 2021 13:17:12 +0200 (CEST) Received: from iris.localnet (iris.adm.antarean.org [10.55.16.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailstore1.adm.antarean.org (Postfix) with ESMTPSA id 4FvV482x2Zzj for ; Tue, 1 Jun 2021 13:17:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antarean.org; s=default; t=1622546232; bh=o9cV9cBFHC+SveA1ojchzbfrblcLGseg/35eqf2Hstg=; h=From:To:Subject:Date:In-Reply-To:References; b=HvtGjU/zoGfz8Eo92FMJ4r/ugqUDgXafmRG7ifv89564ehOma9Nq+JS08ZGHxRj3P ZZlPnkAhNKXLZ0Qyqza6sVpa9khYv6zX2GThvbzS6j9/3xgEF5C4gLl1olwJ32qWeu Sd8di1zD/A8AZhIr174enZ+AYOAbcReTUHFT2ZLk= From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) Date: Tue, 01 Jun 2021 13:17:12 +0200 Message-ID: <2212846.ElGaqSPkdT@iris> In-Reply-To: <20210601104447.D7EA282B8F89@turkos.aspodata.se> References: <20210529030839.123d8526@melika.host77.tld> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> <20210601104447.D7EA282B8F89@turkos.aspodata.se> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: 442d6d4a-9421-4447-8895-2ef943150f45 X-Archives-Hash: dd63018503c73e709388d7d2ffdb0789 On Tuesday, June 1, 2021 12:44:47 PM CEST karl@aspodata.se wrote: > BillK: > ... > > > And another "wondering" - all the warnings about trusting self signed > > certs seem a bit self serving. Yes, they are trying to certify who you > > are, but at the expense of probably allowing access to your > > communications by "authorised parties" (such as commercial entities > > purchasing access for MITM access - e.g. certain router/firewall > > companies doing deep inspection of SSL via resigning or owning both end > > points). If its only your own communications and not with a third, > > commercial party self signed seems a lot more secure. > > ... > > You can use https://letsencrypt.org/ instead of a self-signed cert: > > Let's Encrypt is a free, automated, and open certificate authority > brought to you by the nonprofit Internet Security Research Group (ISRG). > > It was pretty simple to get it to work with > https://github.com/diafygi/acme-tiny It's not that easy to do it with internal-only systems as Let's Encrypt requires the hostname to be known externally. And there are plenty of devices you do not want the whole internet to know about. -- Joost