From mboxrd@z Thu Jan 1 00:00:00 1970 From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1614203712; bh=JNeLU1W4wWqczqTObngGXiosS20Njvb7dheH2B7ICW8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=edmME8qRMcDd5pNm8ypqOHCu5oI0dqr1hCj3Aq0IL852RR28ErKhhac+YgRNx8LuV DN+zkYR2DqjnebzWArIW3KC/uhke8+Q8G02SHOen22tdGS8Ce09RGXzXcqAg84//nS k/YBDkTpXXKKnb6xJMR/CY8IpoCL0MefgjJ0o7DJhVFxSkGCB/0WUKxelUbchvU8BE lhWcEcuBhQEVAiJ5kasMp6bYEtcqitY3kiisZeOe3J9Ve1+t+IZAN7D35pk3oSvuI3 zhqmMoXhIoTjrE34Gkz+SlUyS2n80lve1MNuivJCVO4l09TYaTvc2d9CGH+hG2JcuI 8vkgOUzquVs4A== To: Dave Taht , Juliusz Chroboczek In-Reply-To: References: <87mtvtqn5d.wl-jch@irif.fr> <9fb4bedf-0195-7515-dc54-2d225504f874@stroeder.com> <87im6hqi83.wl-jch@irif.fr> <87ft1lqhud.wl-jch@irif.fr> Date: Wed, 24 Feb 2021 22:55:10 +0100 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <8735xl2ksh.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain Message-ID-Hash: OXAW7TFQQL5NNHHKYPD35VHD5VMRZUP5 X-Message-ID-Hash: OXAW7TFQQL5NNHHKYPD35VHD5VMRZUP5 X-MailFrom: toke@toke.dk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Michael =?utf-8?Q?Str=C3=B6der?= , galene@lists.galene.org X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: Heads up: =?utf-8?q?Gal=C3=A8ne?= generates self-signed certificates List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Dave Taht writes: > Several notes. > > I strongly agree with being able to generate a self signed cert. > Especially if you are operating a server that is off the internet, > it's difficult to get a cert via let's encrypt, > and asking folk to run the openssl command line is just asking for trouble. > > The CA authority argument has always smelt of the old key escrow argument, and > I vastly prefer to not register some things with any centralized > authority and explain to potential users that's why it isn't > registered and that the "invalid cert" thing is misleading. > > I however wouldn't mind if that there was a command within galene to > fire off the lets encrypt facility if a box is on the public internet > and has working dns. shell out to acme, I think.... Or just use a Go implementation of the ACME protocol: https://go-acme.github.io/lego/usage/library/ However, since Galene won't persist anything to disk, I'm not sure if this is actually a good idea; you'd need to get a new cert every time you restart the daemon, which I'm not sure is a good idea (it will likely get you throttled, if nothing else). -Toke