[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice rando…

Inizio della pagina
Delete this message
Reply to this message
Autore: Viktor Dukhovni via Exim-users
Data:  
To: exim-users
Oggetto: [exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.
On Sun, Nov 19, 2023 at 09:33:37PM +0000, Slavko via Exim-users wrote:

> >  * Staging a future key, that the ACME client will conditionally
> >    switch to, once the TLSA record is live.

>
> Do you mean opposite of usual certbot logic: first generate key, then
> setup TLSA for it, and after that request certificate for/with that key?


Generate a staged key, that sits there, unused, waiting for TLSA records
to appear, and once that has been in place long enough, obtain a cert
for the new key, otherwise, in the mean time keep using the old key.

> >  * Avoiding reliance on "certbot" hooks, which (last I checked) don't
> >    guarantee "at least once" execution.

>
> Do you mean ability to rerun hook if it fails? Or do you mean, that
> certbot can skip/fail to run hook after renew at all?


I mean "at least once" successful execution, so yes, rerun on failure,
or even if the hook never got to run at all, because the system rebooted
before it got a chance to run, but the new cert was alread obtained.

Of course with alerts any time the hook fails. When I looked, I found
no code in certbot that ensured at least once execution of hooks, so
(per Murphy's Law) they're unreliable, and a better approach is needed.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/