On Sat, Jan 02, 2021 at 05:23:11PM +0100, Florian Obser wrote: > > Create .1 backup files when acme-client is going to overwrite a > certificate file. > > This files are not terribly big and it's convenient to keep one > previous file around for example if one adds or removes domains to the > certificate and then wants to revoke the previous one. > > (Note that it's kinda difficult to revoke the old certificate with > acme-client currently. The whole revoke machinery needs to be > overhauled. I have ideas...) > > Comments, OKs? >
Wait, I can have multiple, active certificates? One's that are in fact different, such as domain.xxx and then add www.domain.xxx in another certificate? If that's the case, then couldn't someone steal the old or new one and use that to cause problems? Especially since DNS servers can take up to 48 hours to propagate changes So getting rid of www.domain.xxx might not show up quickly enough. And if I change IP addresses and they don't get propagated soon enough, wouldn't someone be able to briefly spoof my site? DNS servers in some places I have been to, do in fact have failures. If I understand this correctly (perhaps not), this seems like a major security problem with DNS. Especially if my spoofed site sends people to another site that they then bookmark. Chris Bennett
