On Sat, Jan 02, 2021 at 05:10:01PM -0600, Chris Bennett wrote: > On Sat, Jan 02, 2021 at 05:23:11PM +0100, Florian Obser wrote: > > > > Create .1 backup files when acme-client is going to overwrite a > > certificate file. > > > > This files are not terribly big and it's convenient to keep one > > previous file around for example if one adds or removes domains to the > > certificate and then wants to revoke the previous one. > > > > (Note that it's kinda difficult to revoke the old certificate with > > acme-client currently. The whole revoke machinery needs to be > > overhauled. I have ideas...) > > > > Comments, OKs? > > > > Wait, I can have multiple, active certificates? One's that are in fact > different, such as domain.xxx and then add www.domain.xxx in another > certificate? > > If that's the case, then couldn't someone steal the old or new one and > use that to cause problems? > Especially since DNS servers can take up to 48 hours to propagate changes > So getting rid of www.domain.xxx might not show up quickly enough. > And if I change IP addresses and they don't get propagated soon enough, > wouldn't someone be able to briefly spoof my site? > DNS servers in some places I have been to, do in fact have failures. > > If I understand this correctly (perhaps not), this seems like a major > security problem with DNS. Especially if my spoofed site sends people to > another site that they then bookmark.
Hi, Yes you can have multiple certs, I have a few. The spoofing couldn't happen if you used DNSSEC. However if you used DNSSEC that means you have to keep your keys on the DNS Server, in order to sign the domain with acme-client info, which you have to be comfortable with. If they get stolen, then you have to change the keys and your domains will be temporarely insecure and subject to spoofing again. Regarding to the "propagation time" you should keep your TTL's low in that case, I think. That is not always wanted. Luckily you have the choice to use the DNS vs. the HTTP method. I think it's good you went into a deep thought about this, as it makes everyone think how to refine the process of getting let's encrypt certs. > Chris Bennett Best Regards, -peter
