#ssl
Okay I've used up all other options, so now it's #FollowerPower and #FediMagic :
Would someone here be able to help me fix my broken #Yunohost instance? I've been without email for several weeks now 
All apps and admin interface work without problems, but #Dovecot fails to start with a cryptic #SSL error. I've tried the forum of course but so far without success.
Happy to share logs and all. Thanks a million! 
Hallo ich bin #neuhier und melde mich, weil etwas teilen möchte.
Als alter ITler möchte ich ein Skript teilen, dass dem (Home-)Admin das Leben erleichert, wenn wieder mal ein "curl" oder "wget" bei der Verifizierung eines Zertifikats (#SSL / #TLS) scheitert.
Das kommt nicht so oft vor, deswegen hatte ich immer vergessen was zu tun ist, wenn es mal wieder so weit war.
Das Script prüft welche Zertifikate fehlen, lädt sie herunter, so dass man sie ggf. in die Liste der CAs (certification authorities) aufnehmen kann. Wie das geht, steht in meiner dazugehörigen Doku.
Vielleicht einfach mal sehen, ob ihr es brauchen könnt.
Natürlich #opensource, beschrieben auf https://github.com/himbeer-toni/UserScripts/blob/main/fetch-missing-ca.md, da wäre dann auch ein Downloadlink.
Würde mich freuen, wenn es jemandem hilft!
#opensource #programming #debian #linux #RasPi #sysAdmin #git #github #selfhost #selfhosted #selfhosting
#opensource #foss #homelab #homeserver #software #raspi #RasPi #sysAdmin #TLS #SSL #certificates
@digitalcourage
@linuxnews
@drscriptt granted, we all want 203.0.113.1¹ to have #SSL / #TLS (even if it's just @letsencrypt ) work than not work or have no #encryption.
- That is not up for debate!
I just think that this will reward previously standards-violating behaviours when i.e. Xavier Sample Solutions don't get nudged to use i.e. api.solutions.example² but can just use their IP addresses.
- Feels like companies take pride in copying #ClownFlare's #EgoTrip who put their #DNS & #domain on https://1.1.1.1 …
English version on my blog:
Since @alxd introduced me to the concept, I scoured the #SSL #SolarpunkSeedLibrary to explore which #hieroglyphs were most common and which were absent.
Here's some analysis and ideas for other fellow solarpunks!
"We've Issued Our First IP Address Certificate" - Let's Encrypt
https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
Big news from Let's Encrypt! Since 2015, there have been requests for certificates for IP addresses—a rare offering among certificate authorities. Today, they've issued their first certificate for an IP address! As announced earlier this year, this feature is now being rolled out gradually to subscribers.
https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/
Let’s Encrypt Begins Supporting IP Address Certificates • Linuxiac
https://linuxiac.com/lets-encrypt-begins-supporting-ip-address-certificates/
It seems I need to restart my server (Ubuntu) after I renew my Certbot cerificate in order for the update to be recognised. Probably coud just restart Nginx I expect, but anyway... any clever peeps on here that know if I can actually get the renewed certificate (and its validity dates) served up without any downtime? #certbot #ssl #server #linux
Let's #Encrypt rolls out free IP address #certificates • The Register
Let's Encrypt, a #CertificateAuthority (CA) known for its free TLS/SSL certificates, has begun issuing digital certificates for IP addresses.
It's not the first CA to do so. #PositiveSSL , #Sectigo, and #GeoTrust all offer TLS/SSL certificates for use with IP addresses, at prices ranging from $40 to $90 or so annually. But Let's Encrypt does so at no cost.
#security #tls #ssl #privacy
https://www.theregister.com/2025/07/03/lets_encrypt_rolls_out_free/
Parlando di cose migliori: ho contribuito al progetto della #Biblioteca dei Semi Narrativi di @alxd : ora potete consultare tutte le voci anche in italiano!
https://storyseedlibrary.org/it
Se avete bisogno di #illustrazioni #solarpunk per i vostri progetti, la #SSL è piena di opere fantastiche, tutte copyleft! Pescatene a piene mani e, se conoscete qualche altra lingua, fatevi avanti e traducete! È questione di qualche pomeriggio 
@cR0w too many.
- Jist like there are way too many applications suceptible to the #CryptoAPI #backdoor of #Windows.
http://github.com/kkarhan/windows-ca-backdoor-fix
So far testing by @ct_Magazin / @heiseonline (and myseof later on) revealed only few #Apps not vulnerable to this specifics #Govware:
- #Firefox (uses @Mozilla / @mozilla_support / #Mozilla #NSS & has it's own #SSL certificate storage)
- @thunderbird (Mozilla NSS)
- @torproject / #TorBrowser (Mozilla NSS; custom certificates)
- #curl (uses @bagder #WolfSSL and manages it's own certs)
Anything else that uses the CryptoAPI is, espechally *all #Chromium-Forks (aka. All Browsers except Firefox, Tor Browser, #dillo, #LynxBrowser…)
@matthiasott giving me #ssl vibes 
@christopherkunz #UnpopularOpinion: The #ValueRemoving #RentSeeking nature of #SSL-#Certificates is the problem.
Solutions that tried to unfuck this ( @cacert ) got cockblocked by #Apple and #Microsoft whilst @letsencrypt which basically provides certificates to everyone and everything gets a free pass.
- Because #SiliconValley is more equal than others!
DNSSEC is a big deal. It’s complex, but it doesn’t have to be boring. So we figured, why not let a taco explain it? We’re demystifying DNSSEC in the most entertaining way possible, complete with quirky jokes and characters. We love sharing our knowledge of all things #DNS, #SSL certs, and #DNSSEC, and we hope you enjoy this interactive exploration of How DNSSEC Works!
In case you haven't seen it yet, check out the analysis of the devastating state of [mostly] modern #OpenSSL by members of haproxy at https://www.haproxy.com/blog/state-of-ssl-stacks - hard to imagine such massive performance regressions getting into mainline linux distributions unnoticed by the distributors. #linux #ssl
Tech vocablurary question:
Are you seeing people still referring to "SSL” as the most natural thing, or have we finally moved on to calling TLS simply "TLS”?
TLS was introduced more than 25 years ago as a SSL replacement. SSL v3 was deprecated 10 years ago. Isn't it time we also deprecate the use of the term SSL?
My opinion is that we're looking less professional by continuing to deadname TLS.
Thankful for any input and observations from your part of the IT / networking fields.
Does anyone have experience with LetsEncrypt (certbot) and DNSSEC? 
I have an issue with a hostname in a domain (that I do not have admin access to). The domain has a DS record, and certbot complains about invalid CAA this or that.
I found this, but can't really figure out if this points me to the issue at hand:
https://community.letsencrypt.org/t/no-caa-dnssec-nonexistence-proof-issuance-failure/99049
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
The maximum certificate lifetime is going down:
- As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
- As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.