Looking for FAQs

Not a problem... :slightly_smiling_face:

so long as the final writing is formally presented in iambic pentameter complete with heroic couplets. :face_with_monocle:

Reach deep... find a word that rhymes with orange...

1 Like

Two comments on your key rotation:

I did not pick this up on your post last year, but the
Account Key rollover is fairly new. I think it went live with LetsEncrypt in 2016 or 2018 - I can’t remember. As such, clients written before then did not initially support it, and not many current ones do either. it’s one of the last things client devs support; certbot does not support this and has no plans to (it was milestoned in 2017, then deprioritized in 2020)

In terms of Private Key cycling, with complex integrations I prefer to cycle keys by day or week. I.e. all certs procured on a certain day/week share the same private key as long as the domain traffic is below a threshold. This is simply to lower the memory load on the terminating SSL server. IMHO, this doesn’t pose a larger security concern, because our security response plan assumes all managed keys are compromised if any one key is compromised. The threshold rule is in place to minimize the potential for traffic analysis/brute force.

5 Likes

This randomly popped into my head this morning:

  • What do I do if I hit a ratelimit?

When it comes to "Duplicate Certificate" limits, my own approach has been to telling people their integration has problems, and then recommend the bypass trick of adding a new domain to the certificate as a temporary measure.

What I randomly realized today, is that a lost/never-downloaded Certificate might be recoverable and usable from crt.sh if the Private Key is still saved to disk. I haven't looked to see which, if any, clients save or log the private key when the CSR is generated - but I assume some might.

4 Likes

Several of us here have tried to go down this route on more than a few occasions when helping people who have deleted their certificates. The majority of the time, the private keys are gone. I've never seen a client log a private key as I suspect that most probably just dump the private key onto non-volatile storage as soon as it and the CSR are generated. I don't think I would like a client to log the private key as I feel like this "second copy" could end up somewhere with worse permissions than the home of the "original copy". Imagine if people were posting client logs containing private keys... :grimacing:

On the rare occasion that the help-seeker has retained a private key and downloaded the desired certificate from crt.sh, the next step is always making sure it's the right private key. Much of the time there are many keys for many duplicate certificates, which makes this process a barrel of laughs. :clown_face: Clearly the openssl command line comes in handy here though I've found that looking at dates along with installation trial-and-error are often faster and less error-prone.

It is because of all of this, of course, that the following came about:

Hopefully we will soon be able to say: just fix the problem, you can try again in an hour.

2 Likes

If there are two people who do the most posting, you're given a message to "get a room" (PM). :laughing:

Oh no! Another one with multiple personalities? On one forum we had one person with 35! The only way to tell them apart is that they were numbered. :grimacing:

This has popped up a few times:

“Your system is not supported by certbot-auto anymore.”

3 Likes

Inspired by something @Osiris said about cloud hosters, what would be a neutral and friendly way to ask, "Are you sure you checked all your firewalls on your virtual machine"?

4 Likes

Perhaps prefaced with something like this... :grin:

Can you reach your website/device from your phone?

If not, neither can we.

1 Like

This is usually very helpful, but maybe less so with things like those Synology NASes—where it's pretty likely that the user's phone is on the same LAN as the NAS box. :frowning:

We probably want something like check-your-website / letsdebug / etc. as a backup in this case.

2 Likes

I was meaning a smart phone on a wireless/cellular network.

1 Like

Yes, but there's a lot of incentive to get your smart phone to join your home LAN. My phone even gives me a warning if an app uses more than a certain amount of mobile data, whereas there is no such warning for wifi (possibly based on the common situation where mobile data is metered or capped, while wifi is connected to a fixed broadband link that isn't metered or capped, or much less noticeably so). Signal also built-in features that suggest, for example, autodownloading media over a wifi link but not over mobile data. So smartphones are probably nudging their users... "please, please, let me onto the home wifi! it will be so much better!".

Edit: so we could just emend this to

"Can you reach your website/device from your phone, with wifi turned off on the phone?"

4 Likes

That's a good idea to be more precise. It saves time on bad assumptions. :heart:

3 Likes