On Sat, Feb 11, 2017 at 09:50:13AM +0100, Klaus Ethgen wrote: > Am Di den 31. Jan 2017 um 19:35 schrieb Klaus Ethgen: > > the SSL certificate for website devuan.org is invalid again and does not > > match the one in TLSA record. > > That problem gets serious now. I even cannot access www.devuan.org > anymore. > > On all pages I get certificate mismatch. There seems to be one that is > impersonalizing devuan.org with a faked Let's Encrypt certificate. > > The Fingerprint I get currently from the website is: > CF:C6:BE:F8:22:E5:30:16:3A:50:3B:1A:B8:99:FC:9D:83:B3:E5:38 > > And tlsa verification gives: > ~> tlsa --verify www.devuan.org > FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match > the TLSA record (46.105.191.76) > FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match > the TLSA record (2001:41d0:8:2c55::a1)
For now you can abuse a different failure: "devuan.org" (aka, the nice no-www compliant name) is missing the TLSA record. As for the one on www.devuan.org: _443._tcp.www.devuan.org. 3600 IN TLSA 3 0 1 B91B36D5929A8617EE57781C35620B1FED8BDC653F9A29EA73177365 30A15EBF Sorry but a Selector:0 (full cert) record is not going to work with Let's Encrypt unless you do a complex dance: renew the cert but not install it, calculate and publish both old and new TLSA records, wait two TTLs, install the new cert, drop the old record. Using Selector:1 (SubjectPublicKeyInfo) on the other hand works nicely as long as you don't regenerate the private key on renewal -- dehydrated does this if you set PRIVATE_KEY_RENEW=yes; there's AFAIK no way to do so with certbot. Meow! -- Autotools hint: to do a zx-spectrum build on a pdp11 host, type: ./configure --host=zx-spectrum --build=pdp11 _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
