←back to thread

512 points gslin | 2 comments | | HN request time: 0.433s | source
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
guappa ◴[] No.42193614[source]
My letsencrypt cert, despite all my attempts, works fine with browsers but WILL NOT work with wget/curl/python/whatever.

Plus setting up letsencrypt isn't really really easy. Last time it was failing because I had disabled HTTP on port 80 entirely on my server… but letsencrypt uses that to verify that my website has the magic file. So I had to make a script to turn it on for 5 minutes around the time when the certificate gets renewed. -_-'

None of this is easy or quick, and people have other stuff to do than to worry about completely hypothetical attacks on their blog.

replies(2): >>42193779 #>>42203961 #
mmsc ◴[] No.42193779[source]
>letsencrypt uses that to verify that my website has the magic file.

So, instead, use the other authentication methods. For example, DNS.

replies(1): >>42194090 #
1. guappa ◴[] No.42194090[source]
Is that easier to configure? (no it isn't)
replies(1): >>42195180 #
2. mmsc ◴[] No.42195180[source]
Setting a single DNS record which doesn't need to be change is more difficult than setting a crontab to open port 80 "around the time you expect the ACME challenge"?

How's that?