Closed pushcx closed 3 years ago
email should now be using TLS, verified by inspecting headers from an @gmail account:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lobste.rs header.s=prgmr-0 header.b=bypOhpX4; spf=pass (google.com: domain of nobody@lobste.rs designates 71.19.148.33 as permitted sender) smtp.mailfrom=nobody@lobste.rs; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lobste.rs Return-Path: nobody@lobste.rs Received: from lobste.rs (lobste.rs. [71.19.148.33]) by mx.google.com with ESMTPS id a1si3400595plp.90.2017.10.26.13.17.10 for []@gmail.com (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Oct 2017 13:17:10 -0700 (PDT)
Solid fix, thanks!
oops, of course that's only one part of this roundup bug, reopening
There is also an Ansible module for LE.
Commenting as a marker to look at this over the weekend. I've set up letsencrypt on my properties a couple times and as a lobsters reader of several years seems like the least I can do to try and pick this up
@taoeffect acme-client focuses a lot more on security - doing priv-sep / chrooting (pledge on OpenBSD).
That's the primary reason. The other is that certbot is Python with a bunch of dependencies and it wants to automagically edit the nginx conf, which is more automation than I like to see in security-related areas.
You can use certbot's webroot mode to have it only generate the challenge files and not edit the configuration. Though acme-client's use of pledge is awesome.
I've configured certbot, which seems to preferred way to do this now.