[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: Certbot error
From:       Jeffrey Walton <noloader () gmail ! com>
Date:       2023-04-22 22:17:55
Message-ID: CAH8yC8=6xVP=w9xx8uLQCwNYAmyZu+kChz8F2D=NyBP1BfHgrQ () mail ! gmail ! com
[Download RAW message or body]

On Sat, Apr 22, 2023 at 6:12 PM Tim via users
<users@lists.fedoraproject.org> wrote:
>
> On Sat, 2023-04-22 at 14:32 -0700, Samuel Sieb wrote:
> > As Patrick said, using port 443 would be a circular dependency.  There
> > is no "testing" of the cert, this is for providing the cert.
>
> Ah...  I thought it was for checking and auto-renewing certificates
> before expiry (like certwatch).
>
> > At this point, you don't have an SSL certificate, so it wouldn't work.  The
> > requester puts a token in the web server directory and then tells the
> > certificate generating side to verify the token.
>
> Hmm, sounds like a security problem to get data via insecure means, in
> the first place.  It escapes me why you'd want to work that way if you
> were running it on the same machine as the server.

The LE client downloads a X.509 certificate based on a CSR (after
passing the challenges). It's the same certificate the server supplies
to user agents and clients. There's no loss of confidentiality.

About the only thing an adversary can do is a DoS.

Jeff
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]