[tech] SSL on various services with LetsEncrypt
David Adam
zanchey at ucc.gu.uwa.edu.au
Sat Dec 8 07:22:26 AWST 2018
On Fri, 7 Dec 2018, James Andrewartha wrote:
> On Fri, 7 Dec 2018, David Adam wrote:
>
> > On Fri, 7 Dec 2018, Felix von Perger wrote:
> > > [CFE] and I worked on enabling / fixing SSL on a bunch of services today. This
> > > hopefully hasn't broken anything significant.
>
> There are a bunch of Let's Encrypt certs that aren't renewing properly,
> there was an auto-discard notification which hostmasters would have seen,
> I'll forward it to wheel at . Can we move the webhosting over to using a
> wildcard?
The names in those expiry notices have already been renewed; I think the
reminder is a red herring.
> > > * Attempted to migrate AD domain controller host certificates on samson
> >
> > Why do we need an externally-signed certificate for AD? Can't we just use
> > the UCC CA or the Samba CA?
>
> It is a bit nicer, plus we never have to worry about renewing it manually
> when the time comes.
>
> > > + It also means that anyone can ask mooneye to do DNS lookups
> > > for any domain. Is this a bad thing?!
> >
> > It can be used in DNS amplification attacks, so we should turn that off.
>
> Let's Encrypt by design do not publish which IPs may be used to query the
> nameserver to verify ownership, so we can't in practice restrict them
> anyway.
Right, but this is about allowing recursion for any domain.
In any case, it's not actually turned on (allow-recurse still set to the
UCC ranges only), so never mind.
[DAA]
More information about the tech
mailing list