lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Server stats:

61
active users

#LetsEncrypt

0 posts0 participants0 posts today
Jcrabapple<p>"We've Issued Our First IP Address Certificate" - Let's Encrypt</p><p><a href="https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">letsencrypt.org/2025/07/01/iss</span><span class="invisible">uing-our-first-ip-address-certificate/</span></a></p><p><a href="https://dmv.community/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tech</span></a> <a href="https://dmv.community/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://dmv.community/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://dmv.community/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a></p>
Stumpi im Retroland<p><span class="h-card" translate="no"><a href="https://cultur.social/@marcuwekling" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>marcuwekling</span></a></span> Großartige Idee! Ich bin (eh schon) dabei! 🙃 <a href="https://c64.social/tags/dutgemacht" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dutgemacht</span></a> <a href="https://c64.social/tags/ididit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ididit</span></a> </p><p>Hier was ich derzeit schon so nutze:</p><p>- Eigener Mailserver <a href="https://c64.social/tags/postfix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>postfix</span></a> <a href="https://c64.social/tags/clamav" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clamav</span></a> <a href="https://c64.social/tags/rspamd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rspamd</span></a> <a href="https://c64.social/tags/roundcubemail" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>roundcubemail</span></a> <a href="https://c64.social/tags/dovecot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dovecot</span></a> <br>- Notebooks auf <a href="https://c64.social/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a><br>- <a href="https://c64.social/tags/pfsense" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pfsense</span></a> Firewall <br>- <a href="https://c64.social/tags/thunderbird" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>thunderbird</span></a> </p><p>Selber gehostete freie Dienste/Software derzeit:<br>- <a href="https://c64.social/tags/Nextcloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextcloud</span></a><br>- <a href="https://c64.social/tags/PaperlessNGX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaperlessNGX</span></a> <br>- <a href="https://c64.social/tags/Peertube" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Peertube</span></a> <br>- <a href="https://c64.social/tags/HomeAssistant" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HomeAssistant</span></a> <br>- <a href="https://c64.social/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mastodon</span></a> <br>- <a href="https://c64.social/tags/Matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a> <br>- <a href="https://c64.social/tags/Wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Wordpress</span></a> </p><p>Fremdgehostete freie Dienste:<br>- <a href="https://c64.social/tags/pixelfed" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pixelfed</span></a> <br>- <a href="https://c64.social/tags/bigbluebutton" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bigbluebutton</span></a> <br>- <a href="https://c64.social/tags/letsencrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>letsencrypt</span></a> </p><p>Leider kann ich meinen Windowsrechner noch nicht loswerden <a href="https://c64.social/tags/gamer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gamer</span></a> - aber das kommt bestimmt auch noch irgendwann... 🤞</p>
Replied to Aral Balkan

@aral wrote: "If your friends and family are trying to phish you, you have bigger problems."

Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.

The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.

As if phishing is not already the nr. 1 problem on the internet.

Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read infosec.exchange/@ErikvanStrat ?)

@letsencrypt

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Content warning: (long) Wrong order: RPKI first - WebPKI never?

My current conspiracy theory: Now that #letsencrypt has more or less destroyed the market for domain certificates and people are more interested in using client/user certificate, Google throws the market a lifeline by removing clientAuth from acceptable certificates in the browser context with some vague "it's about security" arm waving. #NerdTalk

1/4

Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

Let's Encrypt Community Support · Do *NOT* remove TLS Client Auth EKU!I was also bit by this. I switched to tlsserver profile, and when my XMPP certificate got renewed today, it failed to make any S2S connections :(. I'd to revert to classic profile. Could we please keep TLS client auth EKU ? Thanks!

yet another ACME client, based on uacme: github.com/llfw/lfacme

good:
+ uses uacme and POSIX /bin/sh
+ better configuration/hook system than dehydrated
+ comes with manpages
+ small and simple
+ supports Kerberized dns-01 domain validation

bad:
- only supports Kerberized dns-01 domain validation (but this could be improved)
- only tested on FreeBSD (but this could be improved too)

/cc @_bapt_

UPDATE: Thx to the replies, I implemented the change for all my domains, did a `certbot renew --dry-run` and that succeeded. Yay to a cleaner config :)

#NerdQuestion. When I move {server [...] } blocks in `/etc/nginx/nginx.conf` to separate files in the `/etc/nginx/conf.d` directory, will certbot still find them and will automatic renewals just keep working as before? Anyone with experience on that?

Just requested that Auto Encrypt¹ is added to the list of @letsencrypt clients for Node.js and that Kitten² is added to the list of projects that integrate Let’s Encrypt support:

github.com/letsencrypt/website
github.com/letsencrypt/website

I originally requested that Auto Encrypt and Site.js (the precursor to Kitten, now sunset) be added to the list in 2021. It was not approved (no reason given), so hopefully this time will be different.

github.com/letsencrypt/website

¹ codeberg.org/small-tech/auto-e
² kitten.small-web.org

🔒 Auto Encrypt – heads up!

In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².

The change³ should be seamless.

If you have any concerns, now is the time to raise them :)

#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb

¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (codeberg.org/small-tech/auto-e)
² datatracker.ietf.org/doc/draft
³ codeberg.org/small-tech/auto-e

Codeberg.orgauto-encryptAutomatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.

To all the people upset about #letsencrypt removing TLS Client Auth support from certificates, yes it sucks, but please direct your anger at Google who initiated this change. LetsEncrypt cannot exist if the biggest browser doesn't accept their certificates. Yell at Google, Not LE please.

Continued thread

Sure, #LetsEncrypt, you can say that using certificates with the ClientAuth UKE is a minor use case and that this functionality was never guaranteed to always be available and all of that. But the fact stays: you are removing a feature from your certificates that has been here for a very long time, just because Google demands this. Why Google wants this? I will ask them. But I am quite sure that this #oopsie side effect is not an oversight.

3/5

I am totally sure (sarcasm included) that #Google has totally overseen that their planned changes to their root program requirements will cause a lot of problems for mailserver owners like me who in future might run into weird problems with #Letsencrypt certificates for SMTP. I am sure that Google is absolutely not trying to make running your own mailserver even more complicated just to protect their gmail business. That would be totally not how Google thinks, amirite? letsencrypt.org/2025/05/14/end