***: pyvpx_ is now known as pyvpx
rendrag_ has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 264 seconds)
mnathani has joined #arpnetworks
ziyourenxiang has joined #arpnetworks
ziyoureniang has joined #arpnetworks
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
ziyoureniang has quit IRC (Quit: Leaving)
ziyoureniang has joined #arpnetworks
ziyoureniang has quit IRC (Client Quit)
ziyourenxiang has joined #arpnetworks
ziyourenxiang has quit IRC (Quit: Leaving)
mnathani has quit IRC (Ping timeout: 246 seconds)
mnathani has joined #arpnetworks
hive-mind has quit IRC (Ping timeout: 240 seconds)
hive-mind has joined #arpnetworks
milki_ is now known as milki
mnathani has quit IRC (Ping timeout: 250 seconds)
mnathani has joined #arpnetworks
carvite has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 250 seconds)
mnathani has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
dwarren has quit IRC (Ping timeout: 265 seconds)
dwarren has joined #arpnetworks
mercutio: let's encrypt is in limited beta
err entering on dec 3rd
mjp__: i still gont get the 90 day expiry part... seems kind of annoying
and no... im not running their shitty cert rotation script on my boxes
brycec: Shorter lifetime means smaller attack/compromise surface
(Google's been running 30-90 day certs for their services for awhile)
chrismsnz: also ensures that your cert handling is up to snuff
e.g. an automated, simple process in place to swap them out
brycec: (I make no argument for or against their rotation script)
chrismsnz: which is good when it comes to handling certificates securely
brycec: ^ Or it's bad because you hack something insecure together :p
-: mercutio just did a beta request for a few domains... dunno how it'll go :)
mercutio: tbh, whenever certs are 2 or 3 years expiry it seems people are more liekly to not keep them up to date
err to hit a problem for a few days with being out of date
esp. with smaller sites. if it's 3 months, then people kind of have to "fix" the way they do certs.
brycec: I don't get what's so hard about putting the cert expiry on your calendar when it's issued, and poof it won't surprise you
mercutio: heh one of my smokeping's has an out of date cert.
chrismsnz: also there's the mismatch between domain expiry and cert expiry
mercutio: 10 days.
chris: i have a ssl cert through namecheap with my domain, not that i'm using it..
chrismsnz: shorter cert expiry reduces the time where somebody has a valid certificate for a domain they do not own
mercutio: cos i'm just using cloudflare..
brycec: Another good point, chrismsnz
chrismsnz: thats fine if you dont mind cloudfare mitm all your traffic :)
mercutio: it seemed like a good idea at the time.
there's nothing critical on it really
i mostly just post screenshots and stuff to it
mjp__: changing the cert every 90 days != changing the private key every 90 days
mercutio: but cloudflare's hit rates suck
mjp__: i dont see how its any more secure
mercutio: so i'm actually planning to ditch it
i'm actually way more concerned about people using *.domain certs everywhere across multiple machines
mjp__: "time where somebody has a valid certificate for a domain they do not own"... if letsencrypt were the only cert provider this would be true. but they're not
mercutio: for some reason the name of such is escaping me, wildcard came to mind but that sounds wrong.
brycec: mercutio: *.domain is a wildcard, yes
mercutio: but yeah having a wide attack vector seems messier to me
there's also a premium on wildcard certs, but i think if certs can just be cheap/affordable/free then having lots of non wildcard certs /usually/ makes sense
brycec: (Easier for me to have individual Startcom SSL certs for various services than pay for a single wildcard, for instance.)
mercutio: yeh they're expensive.
brycec: And free is just so free...
mercutio: if you have a proxy or constant cdn or such wildcard is just as insecure
i kind of hoped that with virtualisation would come more "objects" where one bit of work is done in one place, and another in another, connected together.
but currently, it seems that mostly consolidation/cost cutting has happened.
there's cool projects with xen and so forth to make an OS image that's a container of sorts that is compiled to only do one function - like you could have a DNS OS or such.
at least php is moving to php-fpm etc these days creating some isolation
plett: I have a test domain up and working with letsencrypt
mercutio: plett: cool
plett: any thoughts on it?
plett: The 90 day thing isn't the annoying bit for me - that side is solvable with automation
The bit that annoys me is that they only considered web servers when designing it. The only way to get a cert at the moment is to run their python client which can receive traffic on port 80 or 443
You can either run a standalone client which listens on those ports itself and therefore means taking your web server offline, or there are hooks into Apache (and almost nginx) which reconfigure your web server(!) to have a new vhost which can serve the right responses
mercutio: erk
why not just do something like google's ad thing does
where you stick a special thing in the html
plett: That I don't know
I'm sure more options will come over time, but neither of the current options works for me
I wouldn't want to take my webserver offline and run their client code as root in a cron job
And the thought of them trying to add a virtualhost to my apache config scares me too
mercutio: i just upgraded to nginx 1.9.6 last night
on one host. they have http2 :)
plett: I'm using it as a learning exercise, and my setup is slightly over-engineered. I've got haproxy in a docker container listening on 80 and 443 and doing ssl termination and forwarding everything in to an nginx container which currently just serves some plain text
I think I should be able to use haproxy to filter the letsencrypt authentication traffic off to somewhere else while still serving all the normal traffic
I'm also using it as an opportunity to use the brand new docker-compose networking support
It will probably also need etcd and confd to manage the haproxy config. I've not used them before
***: mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 264 seconds)
mnathani has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 246 seconds)
mnathani has joined #arpnetworks
jcv_ has quit IRC (Ping timeout: 240 seconds)
jcv has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 252 seconds)