Our system uses anycast for DNS (DOH and DOT) services. We'd like to use IP authentication, since our IP addresses are useds by clients to bootstrap or directly communicate with our systems. I see a few problems with the current model that has been documented for IP address certificates, and I'm wondering if there can be a discussion on the topic. Cert time is too short. We own our own /24's and /48's for use, and we are listed as the "owners" of the address space in the RIR. It seems tha...| Let's Encrypt Community Support
In my situation, the problem isn't Manual DNS domain validation in terms of getting the acme challenge token into the zone files. Automation is not an option in my situation.| Let's Encrypt Community Support
After learning about and remediating a bug in our CAA checking code [1] on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), we announced that we would be revoking approximately 2.6% of our active certificates that were potentially affected by the bug, totalling approximately 3 million certificates [2]. We announced the plan to revoke because even though the vast majority of the certificates in question do not pose a security risk, industry rules require that we revoke ce...| Let's Encrypt Community Support
On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so...| Let's Encrypt Community Support
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is: youthministry.rccghopmn.org I ran this command: sudo certbot --nginx It produced this output: ubuntu@ip-172-31-85-195:~$ sudo certbot --n...| Let's Encrypt Community Support
My domain is: bitcastle.lol I ran these commands: sudo certbot renew --nginx --cert-name bitcastle.lol --dry-run sudo certbot certonly --nginx --cert-name bitcastle.lol --dry-run They all failed the with same result: authenticator: nginx, Type: unauthorized, Detail: ... Invalid response from https://bitcastle.lol/.well-known ... 404 And I see 404 status codes in nginx access.logs and perhaps more notably i see in the error.logs No such file or directory looking for the acme-challenge/| Let's Encrypt Community Support
The word "only" is doing a lot of heavy lifting in your sentence, but yes I think that's what this thread is requesting. Maybe subsumed in your "extend ACME and CA/B" is that it'd take a lot of effort to get CAs on board. And I don't see commercial CAs getting excited about something unless they could charge a lot for it. And non-profit CAs like Let's Encrypt have enough on their plates just trying to keep HTTPS going. All of which is why I was suggesting someone would need to put together so...| Let's Encrypt Community Support
It would be useful to include instructions on upgrading CertSage.php as new versions are released. Maybe upgrading isn't necessary since it seems most improvements are to make it easier for getting the first certificate and not renewals? But, since I don't know, I have upgraded. Just finally figured out how to do that with less work than starting from scratch. With my multiple subdomains and renamed main directory, it just means editing the certsage.php directory line again within the new cop...| Let's Encrypt Community Support
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is: wgvc.com I ran this command: sudo certbot certonly --apache It produced this output: Saving debug log to /var/log/letsencrypt/letsencryp...| Let's Encrypt Community Support
So I went to the router, to the WAN section, then went to the "Virtal Server/Port Forwarding" section, and then in the "Port Forwarding List" section, I made the settings that I showed in the screenshot.| Let's Encrypt Community Support
We're almost ready to issue certificates for IP address SANs from Let's Encrypt's production environment. They'll only be available under the shortlived profile (which has a 6-day validity period), and that profile will remain allowlist-only for a while. Please note: We have more work to do before we're ready to launch this feature for the public. We don't yet have a timeline, and aren't ready to accept allowlist requests. Here's a sample staging certificate, and a site using it: abadcafe.tx...| Let's Encrypt Community Support
[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this threa...| Let's Encrypt Community Support
Retired. 🙂 https://en.wikipedia.org/wiki/Tardigrade https://wildkratts.fandom.com/wiki/Tardigrade_Xtreme "Stand-up philosopher. I coalesce the vapors of human experience into a viable and logical comprehension."| Let's Encrypt Community Support
