Show threadbitshift1d ago

@monotux thanks for the tip 🙂 (or: reminder... IIRC I stumbled upon #smallstep after reading @jwildeboer writing about step-ca and forgot to test it).

For the Molecule Continuous Integration embedded in my #Ansible #acmesh collection, pebble was/is charming as it is *really really really* simple to setup and small.

But I will consider replacing #pebble with smallstep, as it would let me gain Smallstep experience that I could potentially reuse for other (production) use cases.

bitshift6d ago

TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

https://github.com/letsencrypt/pebble

https://letsencrypt.org/2025/04/30/pebbleacmeimplementation

I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

https://github.com/foundata/ansible-collection-acmesh/commit/2b42a9cfcfe2a9b381a385a9cfbf49788d987956

#acmesh #opensource #devops

GitHub - letsencrypt/pebble: A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.

A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority. - letsencrypt/pebble

GitHub
Julien RiouApr 27

Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh

#acme #acmesh #certbot #tls #ssl #openvpn #pgbackrest

GitHub - acmesh-official/acme.sh: A pure Unix shell script ACME client for SSL / TLS certificate automation

A pure Unix shell script ACME client for SSL / TLS certificate automation - acmesh-official/acme.sh

GitHub
HabrJan 25

Автопродление TLS тоже ломается

Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

https://habr.com/ru/companies/globalsign/articles/988804/

#tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

Автопродление TLS тоже ломается

Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже...

Хабр
Show threadClark ShishidoJan 14

We're supposed to trust these issuers on reliable renewals? It'll be a 47-day window soon.
#acme #acmeSH #zerossl

I want reliable infrastructure.

Clark ShishidoDec 21
certificate issuer ZeroSSL is having an outage. acme.sh renewals are failing. #acmeSH #zerossl #certificates
status.zerossl.com shows:
bitshiftDec 6

🚀 New Release: #Ansible collection foundata.acmesh 1.2.1 🎉

🔐 Rootless service user, configurable storage paths
⏱️ Auto certificate renewal via systemd
📦 Pre-seed cert upload to avoid CA rate limits

Project: https://foundata.com/en/projects/ansible-collection-acmesh/

Examples: https://github.com/foundata/ansible-collection-acmesh/tree/main/roles/run#examples

Galaxy: https://galaxy.ansible.com/ui/repo/published/foundata/acmesh/

#acmesh #OpenSource #Automation #DevOps

Ansible collection: foundata.acmesh

Resources to manage and use acme.sh, as shell-based Automatic Certificate Management Environment (ACME) client. It allows the issuance and maintenance of X.509 certificates, commonly used for securing HTTPS/TLS/SSL services on web servers.

foundata
EddOct 25, 2025

Decided to turn this Toot (https://mastodon.eddmil.es/@iMeddles/115250286127637292) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

https://i.am.eddmil.es/posts/acmesh-insecure/

#acme #acmesh #LetsEncrypt

Edd (@[email protected])

TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

Mastodon
EddSep 22, 2025
TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)
Stefans WeblogMar 29, 2025

Für Home Assistant lässt sich mit dem Add-on Let's Encrypt ein eigenes SSL-Zertifikat erstellen, um die Kommunikation zwischen dem Server und den Clients abzusichern.

https://strobelstefan.de/blog/2025/03/29/home_assistant_-_lets_encrypt_zertifikate_automatisch_erstellen.html

#letsencrypt #acmesh #homeassistant

Home Assistant - Let's Encrypt Zertifikate automatisch erstellen - Stefans Weblog

Home Assistant - Let's Encrypt Zertifikate automatisch erstellen