[Interest] SSL & Let's Encrypt certificate expiration
Thorsten Glaser
t.glaser at tarent.de
Thu Oct 7 00:52:29 CEST 2021
On Wed, 6 Oct 2021, Thiago Macieira wrote:
> On Wednesday, 6 October 2021 09:55:21 PDT Thorsten Glaser wrote:
> > On my own servers I’ve adapted my dehydrated hook to remove the
> > faulty intermediate, but of course this depends on server admins
> > to DTRT, plus it’ll apparently cause more trouble for Android…
>
> Can you share the change? I also use dehydrated.
Sure: https://github.com/MirBSD/dehydrated/tree/stable/docs/examples
I use a setup in which I run dehydrated as unprivileged user _acme and
use one of the hookscripts (debian-hook*.sh will probably be closest to
what you want) which is then allowed to do passwordless sudo to the
corresponding cert script (debian-cert.sh) which first checks the cert
and chain received from LE (as user nobody) to avoid installing 0-byte
certificate files (which others, who symlink from /var/lib/dehydrated/,
have reported) and only then installs them to standard locations.
The last commit there just lets it skip that particular entry of the
chain.
If you have any questions, feel free to respond to me also privately.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
More information about the Interest
mailing list