|
From: | Carlo Zancanaro |
Subject: | Re: bug#46961: [PATCH v2 0/4] Make certbot play more nicely with nginx |
Date: | Sun, 14 Apr 2024 21:42:39 +1000 |
User-agent: | Gnus/5.13 (Gnus v5.13) |
Hi Felix,On Fri, Apr 12 2024, Felix Lechner wrote:
To my surprise OpenSSL, which I saw in proced, generated a lot of certificates in /etc/certs. I am talking about pages and pages of asterisk, plusses, and dots for a system with twenty or so certificates. Is it possible that they were generated as a result of the patch?
I expect the first reconfiguration after this change to create one self signed certificate in /etc/certs for each <certificate-configuration> object in your certbot configuration. These self-signed certificates will then be replaced by symlinks to the certificates that cerbot generates after your next renewal (i.e. when the deploy hook runs). We could avoid generating unnecessary self-signed certificates by first checking if we already have certificates from certbot, and creating the symlink straight away if we can. About the "pages and pages" of output: it might be sensible to change the size of the self keys used in the self signed certificates. The current code uses the rsa-key-size from the <cerbot-configuration>, or 4096 if that is unset (the default). This is probably overkill given we don't actually need, or want, to use the initial certificates. We could instead use the smallest key size that openssl supports (512?). I'm not sure when I'll have time to make those changes, but they should be pretty straightforward if someone else has time before I do.
It would be unfavorable to create such certificates when they are not needed. It reduces valuable server entropy.
If you don't want the initial self signed certificate you can tell Guix not to generate it by setting start-self-signed? to #f on the <certificate-configuration> object.
Carlo
[Prev in Thread] | Current Thread | [Next in Thread] |