Hey guys my https site validates happily but an ssh command still needs to be manually added to known hosts. Seems the certificate is not being seen by ssh:
$> ssh thehost.org
The authenticity of host ‘thehost.org (118.209.XXX.XXX)’ can’t be established.
ECDSA key fingerprint is SHA256:iARZxKGq+R1rNgjcFuPOzqXsJc0CYbxTjgowb1krt00.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘thehost.org’ (ECDSA) to the list of known hosts.
Interestingly, there is a concept of an "SSH certificate", but it is not at all widely used.
A difference between the two applications is that the certificates for use with TLS (like HTTPS) are often meant to be accepted and validated by "the public" while SSH host keys are often meant to be accepted and validated by a very limited group of authorized users (who may have a pre-existing relationship with the server operator, or even be server operators). I think that's why a similar PKI for SSH keys has not become widespread.
OpenSSH does use Public key encryption keys as “host certificates” however they are not the X.509 standard and the Let’s Encrypt keys will not be able to be used (OpenSSH uses another format for signing keys).
It’s a shame because, it would seem to me, if the TECTIASSH ssh method was used, the Letsencrypt validated host might have been used as a signing CA (given we have both Public and Private Keys) we could have registed our own host as the local CA cert with a complete chain of authority. Full certification with a Certificate Authority for SSH. Seems we’re all waiting for https://tools.ietf.org/html/rfc4255 to be solved…