Comment by ๐ stack
Re: "When a server certificate changes, Lagrange will show aโฆ"
TOFU is a largely pointless protocol that provides assurance that after the first time you are communicating with the same server.
It provides no other guarantees.
You may as well ignore it and treat it like those click-through software licenses - whatever.
Mar 26 ยท 6 weeks ago
5 Later Comments โ
๐ฒ lab6 [OP] ยท Mar 26 at 22:09:
I'm happy to ignore it, but from the perspective of a server operator, if there's a way of avoiding users being presented with a scary message, I'd like to do that.
๐ stack ยท Mar 26 at 23:18:
Make a server certif that expires in 1000 years.
You make these yourself, you know.
๐ skyjake [mod...] ยท Mar 27 at 04:05:
Is there a protocol for announcing such changes? Is the intention that the site finds some other out-of-band way of telling its users?
There is no such protocol. The de facto practice in Geminispace is to make a post about an upcoming certificate change a few days before and publish it on the aggregators (and/or Station/BBS).
One way of avoiding the clientside warnings is to keep your certificate key pair the same in the new certificate. Some clients also support checking if a new certificate was signed with the old one, but Lagrange doesn't do that.
๐ฆ roughnecks ยท Mar 27 at 12:37:
for let's encrypt it's "reuse-key = True" in /etc/letsencrypt/cli.ini
๐ฒ lab6 [OP] ยท Mar 27 at 13:21:
Great, so I think re-use of the key is the best answer.
For reference for anyone else who might be in the same situation, I arrived at this requirement because my old cert was generated ~5 years ago, and since then, molly-brown and/or its golang dependencies have come not to like it, emitting the following error:
Invalid TLS certificate: x509: certificate relies on legacy Common Name field, use SANs instead
Hence now needing a cert with a SAN.
Original Post
When a server certificate changes, Lagrange will show a message warning of the change, including this bit: ... Please check if the server has announced a certificate change Is there a protocol for announcing such changes? Is the intention that the site finds some other out-of-band way of telling its users?