As seen in the BND's attack on jabber.ru, some adversaries have no difficulty taking over your IP address. Will this be a new threat vector?
CaliforniaKarl 2 days ago [-]
If an attacker manages to gain ownership of an IP address, and gets a Let's Encrypt certificate for that IP address, the certificate will show up in Certificate Transparency logs. In that way, if people are watching, the attack will become visible fairly quickly.
greatgib 2 days ago [-]
They should at least restricted it to IPv6. Here it will be a kill for everyone using mobile network and 5g hotspots.
nubinetwork 2 days ago [-]
When will they let me generate certificates for IMAP and SMTP?
neoCrimeLabs 2 days ago [-]
They never stopped supporting it, to my knowledge. I first started using their certs for my IMAP and SMTP servers 10ish years ago, at least.
If you use HTTP-01 challenge method you require an HTTP server on the host.
If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.
nubinetwork 2 days ago [-]
And what if I want to run DNS and http on separate servers than my mail server?
neoCrimeLabs 2 days ago [-]
The same thing everyone else does. Build automation, use configuration management, use cert manager or other similar solutions.
neoCrimeLabs 1 days ago [-]
Update: Had less time to post than I realized, hence the terse reply.
Meant to say those solutions are in addition to Lets Encrypt. An X509 certificate is an X509 certificate, regardless if its for https, imaps, or smtps. If you're distributing your stuff across multiple hosts or containers, then it makes sense to use some sort of automation, configuration management, or certificate management/distribution system.
apitman 2 days ago [-]
Nice. I've been using lego for this the past few weeks.
Related 6-Day and IP Address Certificates Are Generally Available (506 points, 2 months ago, 281 comments) https://news.ycombinator.com/item?id=46647491
If you use HTTP-01 challenge method you require an HTTP server on the host.
If you don't want an HTTP server on your imap/smtp server you need to use the DNS-01 challenge method.
Meant to say those solutions are in addition to Lets Encrypt. An X509 certificate is an X509 certificate, regardless if its for https, imaps, or smtps. If you're distributing your stuff across multiple hosts or containers, then it makes sense to use some sort of automation, configuration management, or certificate management/distribution system.