On 2021/01/02 17:10, Chris Bennett wrote: > On Sat, Jan 02, 2021 at 05:23:11PM +0100, Florian Obser wrote: > > > > Create .1 backup files when acme-client is going to overwrite a > > certificate file. > > > > This files are not terribly big and it's convenient to keep one > > previous file around for example if one adds or removes domains to the > > certificate and then wants to revoke the previous one. > > > > (Note that it's kinda difficult to revoke the old certificate with > > acme-client currently. The whole revoke machinery needs to be > > overhauled. I have ideas...) > > > > Comments, OKs? > > > > Wait, I can have multiple, active certificates? One's that are in fact > different, such as domain.xxx and then add www.domain.xxx in another > certificate? > > If that's the case, then couldn't someone steal the old or new one and > use that to cause problems?
What are you thinking would be stolen? The certificates themselves are public knowledge anyway - they are sent in full whenever someone connects to your TLS-based service and are available from Certificate Transparency log servers (https://crt.sh etc) - but they are useless without the private key. > Especially since DNS servers can take up to 48 hours to propagate changes > So getting rid of www.domain.xxx might not show up quickly enough. > And if I change IP addresses and they don't get propagated soon enough, > wouldn't someone be able to briefly spoof my site? letsencrypt (and I think probably all CAs) do uncached lookups from the authoritative servers for the domain, following the chain from the root servers, the usual problem with DNS servers returning outdated records is with bad recursive servers. If you have problems getting the authoritative servers giving out current information then that needs fixing, and isn't really a problem specific to CA validation.
