Re: "When a server certificate changes, Lagrange will show a…"

In: s/Lagrange

Is there a protocol for announcing such changes? Is the intention that the site finds some other out-of-band way of telling its users?

There is no such protocol. The de facto practice in Geminispace is to make a post about an upcoming certificate change a few days before and publish it on the aggregators (and/or Station/BBS).

One way of avoiding the clientside warnings is to keep your certificate key pair the same in the new certificate. Some clients also support checking if a new certificate was signed with the old one, but Lagrange doesn't do that.

🌆 skyjake [mod, sysop]

Mar 27 · 6 weeks ago

2 Later Comments ↓

🐦 roughnecks · Mar 27 at 12:37:

for let's encrypt it's "reuse-key = True" in /etc/letsencrypt/cli.ini

🎲 lab6 [OP] · Mar 27 at 13:21:

Great, so I think re-use of the key is the best answer.

For reference for anyone else who might be in the same situation, I arrived at this requirement because my old cert was generated ~5 years ago, and since then, molly-brown and/or its golang dependencies have come not to like it, emitting the following error:

Invalid TLS certificate: x509: certificate relies on legacy Common Name field, use SANs instead

Hence now needing a cert with a SAN.

🌒 s/Lagrange

🎲 lab6:

When a server certificate changes, Lagrange will show a message warning of the change, including this bit: ... Please check if the server has announced a certificate change Is there a protocol for announcing such changes? Is the intention that the site finds some other out-of-band way of telling its users?

💬 6 comments · Mar 26 · 6 weeks ago