Re: acme-client(1) and http_proxy

2017-04-27 Thread Stuart Henderson
On 2017-04-26, Predrag Punosevac wrote: > Adam Thompson wrote: > >> I stand by my statement that just buying a cheap SSL cert will, for >> anything other than the simple case of an online, directly-connected, >> webserver, be cheaper than the labour required to obtain a

Re: acme-client(1) and http_proxy

2017-04-26 Thread Theo de Raadt
> acme.sh does not require root/sudoer access. For sure I run it as an > unprivileged user and hope you do as well! The concept of privsep isn't about running as an unprivileged user. It is so much more. The problem is that unprivileged users still have the full system call interface

Re: acme-client(1) and http_proxy

2017-04-26 Thread Jeff Ross
On 4/26/17 12:41 PM, Theo de Raadt wrote: I haven't seen anyone mention acme.sh yet--a shell script for letsencrypt with no external dependencies. https://github.com/Neilpang/acme.sh No external dependencies, and no security foundations. No privsep, no clear seperation. Using pretty much

Re: acme-client(1) and http_proxy

2017-04-26 Thread Theo de Raadt
> I haven't seen anyone mention acme.sh yet--a shell script for > letsencrypt with no external dependencies. > > https://github.com/Neilpang/acme.sh No external dependencies, and no security foundations. No privsep, no clear seperation. Using pretty much every unsafe pattern tied to security

Re: acme-client(1) and http_proxy

2017-04-26 Thread Jeff Ross
On 4/26/17 11:02 AM, Stuart Henderson wrote: On 2017-04-25, Adam Thompson wrote: On 2017-04-25 05:27, Stuart Henderson wrote: * If you want to do dns-01 challenge with acme-client, you'll need to use Kristaps' version for now, base acme-client only supports the

Re: thank you sthen@ [Was: Re: acme-client(1) and http_proxy]

2017-04-26 Thread Stuart Henderson
On 2017-04-26, Marcus MERIGHI wrote: > To keep him going I suggest: > > http://spacehopper.org/wishlist > > "Exploding the phone" is taken. > ("Estimated delivery: 23 May 2017 - 16 Jun. 2017") > > We all benefit :-) Thanks! I haven't updated that list recently so it's a

Re: acme-client(1) and http_proxy

2017-04-26 Thread Stuart Henderson
On 2017-04-25, Adam Thompson wrote: > On 2017-04-25 05:27, Stuart Henderson wrote: > >> Firstly, with dns-01 challenge you can get a certificate for a server >> which doesn't allow external access at all (the request and challenge >> can be done with completely separate

thank you sthen@ [Was: Re: acme-client(1) and http_proxy]

2017-04-26 Thread Marcus MERIGHI
April 2017 um 06:16 Uhr > Von:??"Predrag Punosevac" <punoseva...@gmail.com> > An:??misc@openbsd.org > Betreff:??Re: acme-client(1) and http_proxy > [ ... ] > > Best, > > Predrag > > > > P.S. In all my years on this mailing list I have seen not

Re: acme-client(1) and http_proxy

2017-04-26 Thread Stefan Wollny
Gesendet: Mittwoch, 26. April 2017 um 06:16 Uhr Von: "Predrag Punosevac" <punoseva...@gmail.com> An: misc@openbsd.org Betreff: Re: acme-client(1) and http_proxy [ ... ] > Best, > Predrag > > P.S. In all my years on this mailing list I have seen nothing but th

Re: acme-client(1) and http_proxy

2017-04-25 Thread Predrag Punosevac
Adam Thompson wrote: > I stand by my statement that just buying a cheap SSL cert will, for > anything other than the simple case of an online, directly-connected, > webserver, be cheaper than the labour required to obtain a LetsEncrypt > certificate. A cheap certificate like the one you can

Re: acme-client(1) and http_proxy

2017-04-25 Thread Adam Thompson
On 2017-04-25 05:27, Stuart Henderson wrote: On 2017-04-25, Adam Thompson wrote: By definition, you will (probably) not be able to use the ACME protocol - it only works (normally) when your system is connected directly to the public internet with a static IP address.

Re: acme-client(1) and http_proxy

2017-04-25 Thread Stuart Henderson
On 2017-04-25, Adam Thompson wrote: > By definition, you will (probably) not be able to use the ACME > protocol - it only works (normally) when your system is connected > directly to the public internet with a static IP address. > > Simply because you say "behind a

Re: acme-client(1) and http_proxy

2017-04-25 Thread Stuart Henderson
On 2017-04-21, Manuel Giraud wrote: > Hi, > > I'm trying to use the new acme-client on a server behind a corporate > proxy (i.e. I have to set a http_proxy to get out). It seems (from > reading the code) that acme-client(1) does not honor http_proxy. > > Is this on purpose?

Re: acme-client(1) and http_proxy

2017-04-24 Thread Adam Thompson
By definition, you will (probably) not be able to use the ACME protocol - it only works (normally) when your system is connected directly to the public internet with a static IP address. Simply because you say "behind a corporate firewall", I already know (or at least assume) that ACME will