[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx
|
From: |
Felix Lechner |
|
Subject: |
Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx |
|
Date: |
Sun, 14 Apr 2024 09:25:38 -0700 |
Hi Carlo,
Thanks for fixing the Cc: addresses. I should not have included the bug
filing address in my reply.
On Sun, Apr 14 2024, Carlo Zancanaro wrote:
> We could avoid generating unnecessary self-signed certificates by first
> checking if we already have certificates from certbot, and creating the
> symlink straight away if we can.
That would seem wise to me.
> The current code uses the rsa-key-size from the
> <cerbot-configuration>, or 4096 if that is unset (the default). This
> is probably [excessive] given we don't actually need, or want, to use
> the initial certificates.
>
> We could instead use the smallest key size that openssl supports (512?).
Like you, I asked myself why those self-signed certificates, which are
mostly useless, would be 4096-bit strong. I am more offended, however,
that they were generated with a lifetime of just one day.
What happens if certbot is not yet configured, and the sysadmin forgot
to do so for a few days? A long time span, such as ten years (3650
days) might be more appropriate for the fallback certificates.
By the way, in Debian we call them "snake oil". I believe they are
present on all systems.
Kind regards
Felix