Use ACME certs everywhere #140

New Issue

oysteikt · 2024-08-22T23:45:04+02:00

oysteikt commented

2024-08-22 23:45:04 +02:00

We recently discovered that using ACME certs isn't such a big deal for our internet landlords as we previously thought. Let's switch everything out for nixos acme and/or certbot, so we don't need to deal with no more manual certificate requests and installation.

oysteikt added the

labels 2024-08-22 23:45:04 +02:00

oysteikt added this to the Kanban project 2024-08-22 23:45:04 +02:00

pederbs commented

2024-08-23 13:26:24 +02:00

Have we been in any correspondance, or do we simply interpret silence as a good thing?

oysteikt commented

2024-08-23 13:40:30 +02:00

@felixalb

felixalb commented

2024-08-23 14:39:18 +02:00

This is based in the fact that several departments at NTNU, including the IT department, officially use LetsEncrypt in a several places, with no current plans of changing that. If they can do it, and we haven't been told anything else, we can do it.

However, against the wording of the OP, the ACME protocol has never been the problem, the problem is that we have been told that the security department have considered enforcing CAA records on the .ntnu.no. domain only allowing GEANT / Sectigo to sign certs for the domain, but not LE.

If this were to happen in the future, we could consider one of the following:

Put our own CAA record on pvv.ntnu.no as the inheritance can be overridden, allowing LE again on our subdomain. This is possible, as we control our own DNS zone/server.
Ask nicely if we can both add pvv.org to their GEANT account so we can get valid certs for both of our domains, and if we can have an ACME key+endpoint to avoid web forms and emails to get our certs signed.
Change back to using pvv.org as our primary domain name.

This is based in the fact that several departments at NTNU, including the IT department, officially use LetsEncrypt in a several places, with no current plans of changing that. If they can do it, and we haven't been told anything else, we can do it. However, against the wording of the OP, the ACME protocol has never been the problem, the problem is that we have been told that the security department have considered enforcing CAA records on the .ntnu.no. domain only allowing GEANT / Sectigo to sign certs for the domain, but not LE. If this were to happen in the future, we could consider one of the following: - Put our own CAA record on pvv.ntnu.no as the inheritance can be overridden, allowing LE again on our subdomain. This is possible, as we control our own DNS zone/server. - Ask nicely if we can both add pvv.org to their GEANT account so we can get valid certs for both of our domains, *and* if we can have an ACME key+endpoint to avoid web forms and emails to get our certs signed. - Change back to using pvv.org as our primary domain name.

Sign in to join this conversation.