Mastodawn

CSR для SSL: разбор частых ошибок в SAN и wildcard

Большинство проблем с SSL-сертификатами возникает не при настройке TLS, а на этапе создания CSR: забытые SAN-домены, неправильные ожидания от wildcard, ручные ошибки в openssl.cnf. Разбираем, почему с сокращением срока действия сертификатов до 47 дней к 2029 году ручной выпуск перестаёт быть жизнеспособным, и какие инструменты приходят ему на замену.

https://habr.com/ru/articles/1043106/

#ssl #sslсертификаты #tls #csr #https #сертификаты #openssl #acme

CSR для SSL: разбор частых ошибок в SAN и wildcard

Большинство проблем с SSL-сертификатами возникают не при настройке TLS, а на этапе создания CSR — неверные SAN, забытые поддомены, неправильные ожидания от wildcard. Wildcard *.example.com покрывает...

Хабр

nico 4d ago

[lien] Let's Encrypt works toward post-quantum certificates at web scale - Help Net Security #security #acme #gik #tls #net

Let's Encrypt works toward post-quantum certificates at web scale - Help Net Security

Let's Encrypt plans to deploy Merkle Tree Certificates (MTCs) to bring post-quantum authentication to the web by 2027.

Help Net Security

nicobo 5d ago

Ok, I've finally identified what is wrong with my dns-persist-01 challenge integration. #LetsEncrypt prod server just does not support it yet... ;-(

Waiting for "Q2 2026" then...

https://letsencrypt.org/2026/02/18/dns-persist-01#:~:text=production%20rollout%20targeted%20for%20some%20time%20in%20Q2%202026

#acme #devops #security

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation

When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure.

GripNews May 30

🌘 平行重建合法 TLS 竊聽機制
➤ 從 CVE-2023-38198 看憑證頒發流程的潛在惡意利用
✤ https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/
本文探討了 2023 年針對俄羅斯 Jabber 服務進行的 TLS 中間人攻擊事件。作者分析了攻擊者如何利用 `acme.sh` 客戶端的遠端執行漏洞（CVE-2023-38198），透過惡意構造 ACME 協議中的 Token 欄位，注入並執行指令。儘管重現該漏洞在實作上遇到困難，且涉及複雜的 Shell 指令混淆技巧，但該研究揭示了安全憑證頒發過程中的結構性弱點，以及攻擊者如何繞過驗證機制來實現非法監控。
+ 這種透過漏洞強制簽發憑證的手法實在太過精妙與駭人，對於依賴自動化工具的伺服器管理員來說，這無疑是一個巨大的安全隱患。
+ 作者對 Shell 注入攻擊技巧的細節分析非常透徹，即便無法完全復現，這種對攻擊鏈的拆解邏輯對資安研究人員極具價值。
#資訊安全 #TLS #漏洞研究 #ACME

Parallel Reconstruction of Lawful TLS Wiretapping

Transport Layer Security (TLS) is the protocol involved in getting the lock icon to appear in your browser next to the URL. Under the hood it uses a bunch of really cool numbers for encryption. Some numbers are considered private and need securing; some are considered public and are fine for sharing. You can mix your numbers with other people’s numbers in such a way that you can verify a chain of trust. Ultimately, at the top of this chain there has to be an entity or entities that are implied to be trustworthy, so that the links further down the chain of numbers can inherit that trust. This is the role of a root Certificate Authority (CA) at the top (root) of the chain.

REMY HAX

Show thread

Hessenhelden May 29

Kleines Update: DDNSS klappt mit #acme ,allerdings muss man als "Challenge Type" http-01 verwenden anstatt DNS-01 . Dann klappt es auch mit dem Zertifikat.

#OPNsense #Firewall #DynDNS

Show thread

marocddot May 29

@jef My first emacs (teco emacs) was in the 1980s on TOPS-20... I've been trying to get my fingers to forget this for the past 20 or so years, but they won't. Emacs: I wish I knew how to quit you...

Although I've adopted (Plan-9's) #acme a year ago as my daily driver and not sure if that makes me a techno-hipster or not 🤔 😜

Media Japan May 27

https://www.wacoca.com/media/667442/ ACMEのコラム”GEKI STATION”Vol.20公開！今回はCHISA（Vo）が”CHISA的映画紹介番外編其の二”として、ステージに立ち続ける者の心情を書いた新曲「STARSTRUCK」について綴る！ | 激ロックニュース #ACME（exアクメ） #music #アクメ #音楽

marocddot May 26

I use #plan9 #acme to write #oberon for #avr MCUs on macosx and #openBSD laptops
with the occasional foray into doing #forth on #8051 mcus.

This isn't normal, I know.

CertKit May 26

PSA: You don't need a private CA for internal SSL certificates.

The CA doesn't connect to your server. It checks a DNS record. Your server can be completely unreachable from the internet.

https://www.certkit.io/blog/private-pki-internal-infrastructure

#PKI #ACME

You probably don't need private PKI for internal infrastructure

Most teams assume internal infrastructure needs a private CA. It doesn't - and skipping it saves you from a maintenance burden that never fully works anyway.

CertKit SSL Certificate Management