New blog post: Post-OCSP certificate revocation in the Web PKI.

With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.

I think this is the most comprehensive current look at certificate revocation right now.

#security #WebPKI #LetsEncrypt #TLS #OCSP

In case anyone is wondering about how to "update" a valid certificate from #letsencrypt that for some reason #prosody states is already expired, just run:

prosodyctl --root cert import /etc/letsencrypt/live

Assuming you have a valid certificate in place already configured for your domain. Saved me some headache!

More info: prosody.im/doc/letsencrypt

#xmpp #selfhost

Let's Encrypt will issue new intermediate certs in Q1/2024: groups.google.com/a/mozilla.or…

Make sure your LE cert deployment logic includes serving the right intermediates that ACME should hand you, not just that same old LE intermediate you got years ago. Otherwise, there'll be breakage...

#x509 #pki #LetsEncrypt

Detailed and credible looking report of #LawfulInterception #MitM on an #xmpp server hosted at #Hetzner in Germany: notes.valdikss.org.ru/jabber.r…

Looks like a transparent bridge was deployed in front of the actual server, obtained dedicated certificates from #LetsEncrypt and MitMed all incoming client connections since July. It was discovered because the LE certificate expired 🤦

Folks, if you’re using @small-tech/auto-encrypt in your projects, please make sure you’re running the latest version of the package (3.1.0) or certificate provisioning/renewal will fail due to the latest Let’s Encrypt protocol update.

codeberg.org/small-tech/auto-e…

#tls #https #letsEncrypt #autoEncrypt #js #javaScript #nodeJS #web #dev #smallWeb #smallTech

auto-encrypt

Automatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.

^Codeberg.org