Neal Gompa wrote:
> I'm not going to get into this too much, but suffice to say, it's not
> universally accessible as a CA.
I would very much be interested in those details though. I do not see
anybody being excluded from Let's Encrypt, not even countries under US
embargo (e.g., over 300000 sites in Iran are apparently using it
successfully).
> And using Let's Encrypt for private mirrors is sufficiently painful that I
> wouldn't recommend it.
Set up a subdomain like vpn.example.com, point it to the public IP, then
configure the VPN's internal DNS to resolve vpn.example.com to the VPN-
internal address instead, the /etc/hosts on the VPN server itself to resolve
it to 127.0.0.1, and the mirror server on port 443 (whereas port 80 is
reserved for certbot's builtin temporary (and world-readable) webserver with
the http-01 challenge) to accept connections only from the VPN and from
localhost and to use the Let's Encrypt certificate. Been there, done that
(not for a repository mirror though, my employer is small enough for that
not to be worthwhile). I assume that this approach should also work for a
physical LAN in lieu of the VPN.
> There have been attempts to fix things, but Panu doesn't feel
> qualified to review the changes. That doesn't mean someone else who
> would be willing to do so couldn't. But because of... reasons, as long
> as it's in the RPM codebase, it's unlikely someone else will be
> trusted enough to do those reviews.
I see. So splitting might be worthwhile then. Assuming someone will care
enough to actually maintain the code.
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
