home.social

#acmesh — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #acmesh, aggregated by home.social.

  1. @monotux thanks for the tip 🙂 (or: reminder... IIRC I stumbled upon #smallstep after reading @jwildeboer writing about step-ca and forgot to test it).

    For the Molecule Continuous Integration embedded in my #Ansible #acmesh collection, pebble was/is charming as it is *really really really* simple to setup and small.

    But I will consider replacing #pebble with smallstep, as it would let me gain Smallstep experience that I could potentially reuse for other (production) use cases.

  2. @monotux thanks for the tip 🙂 (or: reminder... IIRC I stumbled upon #smallstep after reading @jwildeboer writing about step-ca and forgot to test it).

    For the Molecule Continuous Integration embedded in my #Ansible #acmesh collection, pebble was/is charming as it is *really really really* simple to setup and small.

    But I will consider replacing #pebble with smallstep, as it would let me gain Smallstep experience that I could potentially reuse for other (production) use cases.

  3. @monotux thanks for the tip 🙂 (or: reminder... IIRC I stumbled upon #smallstep after reading @jwildeboer writing about step-ca and forgot to test it).

    For the Molecule Continuous Integration embedded in my #Ansible #acmesh collection, pebble was/is charming as it is *really really really* simple to setup and small.

    But I will consider replacing #pebble with smallstep, as it would let me gain Smallstep experience that I could potentially reuse for other (production) use cases.

  4. TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

    github.com/letsencrypt/pebble

    letsencrypt.org/2025/04/30/peb

    I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
    container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

    github.com/foundata/ansible-co

    #acmesh #opensource #devops

  5. TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

    github.com/letsencrypt/pebble

    letsencrypt.org/2025/04/30/peb

    I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
    container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

    github.com/foundata/ansible-co

    #acmesh #opensource #devops

  6. TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

    github.com/letsencrypt/pebble

    letsencrypt.org/2025/04/30/peb

    I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
    container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

    github.com/foundata/ansible-co

    #acmesh #opensource #devops

  7. TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

    github.com/letsencrypt/pebble

    letsencrypt.org/2025/04/30/peb

    I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
    container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

    github.com/foundata/ansible-co

    #acmesh #opensource #devops

  8. TIL (today I learned): @letsencrypt has a neat little project for running a test CA for the ACME protocol called Pebble.

    github.com/letsencrypt/pebble

    letsencrypt.org/2025/04/30/peb

    I just wired it into the tests for the foundata.acmesh #Ansible collection inside each #Podman
    container to test the webroot challenge end-to-end across all platforms without requiring external infrastructure:

    github.com/foundata/ansible-co

    #acmesh #opensource #devops

  9. Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works github.com/acmesh-official/acm

    #acme #acmesh #certbot #tls #ssl #openvpn #pgbackrest

  10. Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works github.com/acmesh-official/acm

    #acme #acmesh #certbot #tls #ssl #openvpn #pgbackrest

  11. Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works github.com/acmesh-official/acm

  12. Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works github.com/acmesh-official/acm

    #acme #acmesh #certbot #tls #ssl #openvpn #pgbackrest

  13. Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works github.com/acmesh-official/acm

    #acme #acmesh #certbot #tls #ssl #openvpn #pgbackrest

  14. Автопродление TLS тоже ломается

    Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

    habr.com/ru/companies/globalsi

    #tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

  15. Автопродление TLS тоже ломается

    Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

    habr.com/ru/companies/globalsi

    #tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

  16. Автопродление TLS тоже ломается

    Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

    habr.com/ru/companies/globalsi

    #tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

  17. Автопродление TLS тоже ломается

    Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

    habr.com/ru/companies/globalsi

    #tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

  18. 🚀 New Release: #Ansible collection foundata.acmesh 1.2.1 🎉

    🔐 Rootless service user, configurable storage paths
    ⏱️ Auto certificate renewal via systemd
    📦 Pre-seed cert upload to avoid CA rate limits

    Project: foundata.com/en/projects/ansib

    Examples: github.com/foundata/ansible-co

    Galaxy: galaxy.ansible.com/ui/repo/pub

    #acmesh #OpenSource #Automation #DevOps

  19. Decided to turn this Toot (mastodon.eddmil.es/@iMeddles/1) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

    i.am.eddmil.es/posts/acmesh-in

    #acme #acmesh #LetsEncrypt

  20. Decided to turn this Toot (mastodon.eddmil.es/@iMeddles/1) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

    i.am.eddmil.es/posts/acmesh-in

    #acme #acmesh #LetsEncrypt

  21. Decided to turn this Toot (mastodon.eddmil.es/@iMeddles/1) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

    i.am.eddmil.es/posts/acmesh-in

    #acme #acmesh #LetsEncrypt

  22. Decided to turn this Toot (mastodon.eddmil.es/@iMeddles/1) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

    i.am.eddmil.es/posts/acmesh-in

    #acme #acmesh #LetsEncrypt

  23. Decided to turn this Toot (mastodon.eddmil.es/@iMeddles/1) into a blogpost, with a slightly overly grumpy title. This details why I think acme.sh uses an insecure default, how people using acme.sh should remedy this, and why (despite the title) it's probably not *that* big of a deal:

    i.am.eddmil.es/posts/acmesh-in

    #acme #acmesh #LetsEncrypt

  24. TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

  25. TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

  26. TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

  27. TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

  28. TiL that #acmesh, unlike just about any other #acme client I've used, doesn't rotate the private key at renewal by default. And by "TiL" I meant "just had to spend 20 mins reconfiguring a bunch of servers to do it correctly". That'll teach me to read the docs closer and not make assumptions. (I won't learn the lesson of course, but it'll teach me anyway)

  29. Für Home Assistant lässt sich mit dem Add-on Let's Encrypt ein eigenes SSL-Zertifikat erstellen, um die Kommunikation zwischen dem Server und den Clients abzusichern.

    strobelstefan.de/blog/2025/03/

    #letsencrypt #acmesh #homeassistant

  30. Für Home Assistant lässt sich mit dem Add-on Let's Encrypt ein eigenes SSL-Zertifikat erstellen, um die Kommunikation zwischen dem Server und den Clients abzusichern.

    strobelstefan.de/blog/2025/03/

    #letsencrypt #acmesh #homeassistant

  31. Für Home Assistant lässt sich mit dem Add-on Let's Encrypt ein eigenes SSL-Zertifikat erstellen, um die Kommunikation zwischen dem Server und den Clients abzusichern.

    strobelstefan.de/blog/2025/03/

    #letsencrypt #acmesh #homeassistant

  32. Für Home Assistant lässt sich mit dem Add-on Let's Encrypt ein eigenes SSL-Zertifikat erstellen, um die Kommunikation zwischen dem Server und den Clients abzusichern.

    strobelstefan.de/blog/2025/03/

    #letsencrypt #acmesh #homeassistant

  33. Let's Encrypt stellt die @Benachrichtigung für ablaufende Zertifikate ein.
    Ein wunderbarer Grund den ganzen Prozess für die eigenen Systeme mit acme.sh zu automatisieren.

    Ein Beispiel: Für die eigene Nextcloud wird von Certbot auf acme.sh gewechselt.

    #letsencrypt #acmesh #nextcloud #raspberrypi

    strobelstefan.de/blog/2025/03/

  34. Let's Encrypt stellt die @Benachrichtigung für ablaufende Zertifikate ein.
    Ein wunderbarer Grund den ganzen Prozess für die eigenen Systeme mit acme.sh zu automatisieren.

    Ein Beispiel: Für die eigene Nextcloud wird von Certbot auf acme.sh gewechselt.

    #letsencrypt #acmesh #nextcloud #raspberrypi

    strobelstefan.de/blog/2025/03/

  35. Let's Encrypt stellt die @Benachrichtigung für ablaufende Zertifikate ein.
    Ein wunderbarer Grund den ganzen Prozess für die eigenen Systeme mit acme.sh zu automatisieren.

    Ein Beispiel: Für die eigene Nextcloud wird von Certbot auf acme.sh gewechselt.

    #letsencrypt #acmesh #nextcloud #raspberrypi

    strobelstefan.de/blog/2025/03/

  36. Let's Encrypt stellt die @Benachrichtigung für ablaufende Zertifikate ein.
    Ein wunderbarer Grund den ganzen Prozess für die eigenen Systeme mit acme.sh zu automatisieren.

    Ein Beispiel: Für die eigene Nextcloud wird von Certbot auf acme.sh gewechselt.

    #letsencrypt #acmesh #nextcloud #raspberrypi

    strobelstefan.de/blog/2025/03/

  37. Let's Encrypt stellt die @Benachrichtigung für ablaufende Zertifikate ein.
    Ein wunderbarer Grund den ganzen Prozess für die eigenen Systeme mit acme.sh zu automatisieren.

    Ein Beispiel: Für die eigene Nextcloud wird von Certbot auf acme.sh gewechselt.

    #letsencrypt #acmesh #nextcloud #raspberrypi

    strobelstefan.de/blog/2025/03/

  38. @tootbrute @sbb

    In case you are interested how I solved having a publicly signed SSL certificate for a home server not connected to the Internet, here is what I did:

    codeberg.org/harald/Codeschnip

    The downside: there seems to be no way without having a registered domain. It took me unnecessary time to accept this. The upside: taking the step to get yourself a domain is simpler and cheaper than I was aware of and with the right tool, the rest was easy enough.

    #dns #homeserver #acmesh #letsencrypt

  39. @tootbrute @sbb

    In case you are interested how I solved having a publicly signed SSL certificate for a home server not connected to the Internet, here is what I did:

    codeberg.org/harald/Codeschnip

    The downside: there seems to be no way without having a registered domain. It took me unnecessary time to accept this. The upside: taking the step to get yourself a domain is simpler and cheaper than I was aware of and with the right tool, the rest was easy enough.

    #dns #homeserver #acmesh #letsencrypt

  40. @tootbrute @sbb

    In case you are interested how I solved having a publicly signed SSL certificate for a home server not connected to the Internet, here is what I did:

    codeberg.org/harald/Codeschnip

    The downside: there seems to be no way without having a registered domain. It took me unnecessary time to accept this. The upside: taking the step to get yourself a domain is simpler and cheaper than I was aware of and with the right tool, the rest was easy enough.

    #dns #homeserver #acmesh #letsencrypt

  41. @tootbrute @sbb

    In case you are interested how I solved having a publicly signed SSL certificate for a home server not connected to the Internet, here is what I did:

    codeberg.org/harald/Codeschnip

    The downside: there seems to be no way without having a registered domain. It took me unnecessary time to accept this. The upside: taking the step to get yourself a domain is simpler and cheaper than I was aware of and with the right tool, the rest was easy enough.

    #dns #homeserver #acmesh #letsencrypt

  42. @tootbrute @sbb

    In case you are interested how I solved having a publicly signed SSL certificate for a home server not connected to the Internet, here is what I did:

    codeberg.org/harald/Codeschnip

    The downside: there seems to be no way without having a registered domain. It took me unnecessary time to accept this. The upside: taking the step to get yourself a domain is simpler and cheaper than I was aware of and with the right tool, the rest was easy enough.

    #dns #homeserver #acmesh #letsencrypt

  43. New blog post: Renew DNS-01 Let’s Encrypt certificates with Acme.sh, Docker, SaltStack and Gandi LiveDNS

    The HTTP-based challenge to issue LetsEncrypt certificates can’t be used for internal or non-HTTP servers. This post describes the use of acme.sh in Docker to issue and renew certificates over DNS via SaltStack.

    https://blog.narf.ssji.net/2024/09/30/renew-dns-01-lets-encrypt-certificates-with-acme-sh-docker-saltstack-and-gandi-livedns/

    #AcmeSh #Docker #GandiLiveDNS #LetSEncrypt #PGP #SaltStack #engineering #security #sysadmin #tip

  44. New blog post: Renew DNS-01 Let’s Encrypt certificates with Acme.sh, Docker, SaltStack and Gandi LiveDNS

    The HTTP-based challenge to issue LetsEncrypt certificates can’t be used for internal or non-HTTP servers. This post describes the use of acme.sh in Docker to issue and renew certificates over DNS via SaltStack.

    https://blog.narf.ssji.net/2024/09/30/renew-dns-01-lets-encrypt-certificates-with-acme-sh-docker-saltstack-and-gandi-livedns/

    #AcmeSh #Docker #GandiLiveDNS #LetSEncrypt #PGP #SaltStack #engineering #security #sysadmin #tip

  45. New blog post: Renew DNS-01 Let’s Encrypt certificates with Acme.sh, Docker, SaltStack and Gandi LiveDNS

    The HTTP-based challenge to issue LetsEncrypt certificates can’t be used for internal or non-HTTP servers. This post describes the use of acme.sh in Docker to issue and renew certificates over DNS via SaltStack.

    https://blog.narf.ssji.net/2024/09/30/renew-dns-01-lets-encrypt-certificates-with-acme-sh-docker-saltstack-and-gandi-livedns/

    #AcmeSh #Docker #GandiLiveDNS #LetSEncrypt #PGP #SaltStack #engineering #security #sysadmin #tip

  46. New blog post: Renew DNS-01 Let’s Encrypt certificates with Acme.sh, Docker, SaltStack and Gandi LiveDNS

    The HTTP-based challenge to issue LetsEncrypt certificates can’t be used for internal or non-HTTP servers. This post describes the use of acme.sh in Docker to issue and renew certificates over DNS via SaltStack.

    https://blog.narf.ssji.net/2024/09/30/renew-dns-01-lets-encrypt-certificates-with-acme-sh-docker-saltstack-and-gandi-livedns/

    #AcmeSh #Docker #GandiLiveDNS #LetSEncrypt #PGP #SaltStack #engineering #security #sysadmin #tip

  47. New blog post: Renew DNS-01 Let’s Encrypt certificates with Acme.sh, Docker, SaltStack and Gandi LiveDNS

    The HTTP-based challenge to issue LetsEncrypt certificates can’t be used for internal or non-HTTP servers. This post describes the use of acme.sh in Docker to issue and renew certificates over DNS via SaltStack.

    https://blog.narf.ssji.net/2024/09/30/renew-dns-01-lets-encrypt-certificates-with-acme-sh-docker-saltstack-and-gandi-livedns/

    #AcmeSh #Docker #GandiLiveDNS #LetSEncrypt #PGP #SaltStack #engineering #security #sysadmin #tip

  48. Получаем wildcard сертификат letsencrypt с помощью acme.sh

    Получаем wildcard сертификаты с помощью acme.sh и авторизацией по DNS через cloudflare. +Рабочие скрипты.

    habr.com/ru/articles/845954/

    #acmesh #letsencrypt #acmedns #cloudflare #wildcard #domains

  49. Получаем wildcard сертификат letsencrypt с помощью acme.sh

    Получаем wildcard сертификаты с помощью acme.sh и авторизацией по DNS через cloudflare. +Рабочие скрипты.

    habr.com/ru/articles/845954/

    #acmesh #letsencrypt #acmedns #cloudflare #wildcard #domains

  50. Получаем wildcard сертификат letsencrypt с помощью acme.sh

    Получаем wildcard сертификаты с помощью acme.sh и авторизацией по DNS через cloudflare. +Рабочие скрипты.

    habr.com/ru/articles/845954/

    #acmesh #letsencrypt #acmedns #cloudflare #wildcard #domains