After poking around a bit, it looks like Node has a way to inject CAs.
1 Like
Hello there,
I have a few questions regarding Letâs monitor:
- Is it possible to implement 2FA to secure the login of the account?
- Is there an API that I could use (for automation with puppet or ansible) to set up contacts and/or certificates to monitor?
Best regards,
René
- The login does not support 2FA
- Yes! The API is going to be released as soon as the issue list gets to a manageable level.
Thank you very much - this seems to be a really useful service as a backup in case oneâs automatic certificate renewal fails. I am loading my domains in right now.
A very small suggestion: Enable DKIM on your domain. Right now, in Gmail you have the âfromâ address showing as "alert@letsmonitor.org via amazonses.com". Throwing a DKIM record in and having Amazon SES sign your messages (this shouldnât require your application code to be updated - it can all be done from the AWS console) will help your reputation in the future and get rid of that via amazons.com message.
Great suggestion. Will make it so.
So we already had the DKIM records in our DNS setup. However, even though the domain was already verified for DKIM, SES does not automatically enable it. SES requires that you also enable it via an option on the DKIM setup page. Missed that.
Try it now.
That worked perfectly - I see the appropriate DKIM signatures and no longer
have the âviaâ section of the from address.
Authentication result headers:
Authentication-Results: mx.google.com;
dkim=pass header.i=@letsmonitor.org;
dkim=pass header.i=@amazonses.com;
spf=pass (google.com: domain of
01010155e47f2baa-d2923620-c5b6-4388-a6af-d2ba8034a233-000000@us-west-2.amazonses.com
designates 54.240.27.154 as permitted sender)
Would you consider integration into Google Calendar?
That is a great feature request. I think it would be really cool to have expirations on your calendar. I will see how that fits into our work schedule.
Any thoughts about making this thing open source?
Would be happy to create a german alternative to your project, so youâll save server- and sms-fees.
1 Like
Yes. We have four components to this:
- The âstationâ, which is for the distributed monitoring servers.
- The the communications service, which dispatches tests, gets feedback from the stations and sends the alerts.
- The API. This manages accounts, monitors, contacts and the like.
- The website.
Where Iâm seeing interest in open source is the station code and the website. Are you interested in making a German version of the website? If so, that would be great. Itâs internal code right now, but we can open source it.
1 Like
Are you interested in making a German version of the website?
Yes, I'd be really happy to do this and contribute to your work! Just shoot me a short mail, so that we can talk about that in private! My mail-address is letsencrypt@dominicpratt.de.
I couldnât find any way to contact you, so bumping the thread. Are you planning to add proper monitoring for domains with both RSA and ECDSA certificates?
1 Like
Can you give me an example? Just so you know, right now we check for if the cert loads, the domain matches, the connection is encrypted and the dates are valid. We will be checking for compromised ciphers, revoked CAs and a few other items in the future.
Iâm talking about this: https://blog.joelj.org/dual-rsaecdsa-certificates-in-apache-2-4/
There are two distinct certificate chains in this case, they are served based on if client can do ECDSA. To test both of them, I guess, you need to stop announcing ECDSA-based cyphers.
1 Like
Tough issue. It passes one test for on cert, but of course does not pick up both. Forgive me for the lack of knowledge on how these co-exist. Am I correct in thinking that we would need to restrict the cipher set for each query?
I believe so. Restrict the set to RSA only cyphers to get once cert, and restrict to ECDSA to get the other (you canât be sure which one is set as preferred by the remote server).
What ifâŠWe added a way to enter your own cipher sets into a monitor? Then, you could create two monitors. One for RSA and one for ECDSA.
I think an explicit RSA/ECDSA certificate check is more explicit (As an option to avoid to double the request number)
For that I have to expose same cert chains on different domains with custom cypher sets. Suboptimal.