Comment by πŸ”­ Supernova

Re: "How many here use the same TLS certificate on their gemini…"

In: s/Gemini

Oh thank you @michaelnordmeyer and @Morgan for bringing up the point about getting notified when there is a new cert. I've tried to find posts about the differences between self-signed and CA certs and never came across that info. I suppose that doesn't effect any functionality, it's just a notification the user has to dismiss each time?

@alexlehm can you explain further or provide a link to more info on using the same key?

How about this for a thought? If I generate a long expiring cert from LetsEncrypt once just for the gemini server and save that seperately. Then let LetsEncrypt do it's normal thing (every 3 months) for the web server?

πŸ”­ Supernova [OP]

2023-08-19 Β· 3 years ago

6 Later Comments ↓

πŸ€– alexlehm Β· 2023-08-19 at 15:26:

@Morgan is set the parameter reuse_key = True in renewal.conf, that seems to keep the same cert data so that the hash does not change

πŸ€– alexlehm Β· 2023-08-19 at 15:27:

@Supernova I believe this only requires the parameter reuse_key = True in the config. It is not possible to create long expiring certs with Letsencrypt, the expire time is automatically 3 months, you cannot change that

πŸ€ gritty Β· 2023-08-19 at 17:08:

for those using LE, are you copying your keys to the user running your server? I ask because after using certbot, the directory holding the LE certs is not viewable by a regular user on my machine.

πŸ€– alexlehm Β· 2023-08-19 at 17:36:

I copy the files with sudo and access them with the user the server is running under

πŸ”­ Supernova [OP] Β· 2023-08-19 at 23:09:

@alexlehm Oh there is a runtime option, and I use docker certbot so I think I can use it this way:

docker compose run --rm certbot renew --reuse-key

I will see what happens next month upon renewal 😁

πŸ‰ gyaradong Β· 2023-08-20 at 04:34:

I see the purpose as different. The point of minting a key is to have a centralised chain of trust. I think the key life times are for the CA to validate or audit the keys. CRLs are not always effective, so everything must have a lifetime.

In Gemini, it's TOFU so the utility of a lifetime and of minting are both limited and across purposes.

Original Post

πŸŒ’ s/Gemini

πŸ”­ Supernova:

How many here use the same TLS certificate on their gemini server that they get for their web server? I found it not too hard to setup. I am surprised I don't see more gemini capsules doing the same.

πŸ’¬ 13 comments Β· 2023-08-19 Β· 3 years ago Β· #certificates