On 4/22/23 15:11, Tim via users wrote:
On Sat, 2023-04-22 at 14:32 -0700, Samuel Sieb wrote:
As Patrick said, using port 443 would be a circular dependency. There
is no "testing" of the cert, this is for providing the cert.
Ah... I thought it was for checking and auto-renewing certificates
before expiry (like certwatch).
At this point, you don't have an SSL certificate, so it wouldn't work. The
requester puts a token in the web server directory and then tells the
certificate generating side to verify the token.
Hmm, sounds like a security problem to get data via insecure means, in
the first place. It escapes me why you'd want to work that way if you
were running it on the same machine as the server.
How is it insecure? The requester creates a one-time token, passes that
to the letsencrypt server. The server connects back using the domain
name to make sure the domain and request is valid by checking the token.
There's no way to mitm that.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue