Nginx: "ssl_stapling" ignored, no OCSP responder URL in the certificate

https://linuxspicker.net/nginx-stapling-ignored-ocsp-responder-certificate_68

Si vous utilisez #LetsEncrypt, vous avez sans doute reçu les messages « Let's Encrypt Expiration Emails Update » qui vous préviennent que cette AC n'enverra plus de rappels que vos certificats vont bientôt expirer. C'est parce qu'un meilleur système est maintenant disponible, #ARI.
ARI permet à une AC utilisant le protocole #ACME d'indiquer à ses clients des suggestions sur le renouvellement des certificats. Il est décrit dans ce #RFC.

https://www.bortzmeyer.org/9773.html

When you quantify browser support and translate it to real devices, the sad state of Android device vendors really stinks.

I had no idea it was *this* bad.

For example, a Samsung Galaxy or Motorola Moto from 2015:
* ships Android 5.
* may upgrade to one new major release, Android 6, released the next year in 2016.
* minor support updates until 2017.

1 major OS release and you're out,
2 years of minor updates.

https://en.wikipedia.org/wiki/Moto_G_(3rd_generation)

https://en.wikipedia.org/wiki/Samsung_Galaxy_A5_(2015)

Eh, that is not cool: installed the #LetsEncrypt add-on in my fresh #HomeAssistant installation. And because it is brand new, I tried the test certificate server first. Everything works ...

Except, HA has no option to force renew the certificate. And now I'm stuck for 30 days with the test cert, which the browser does not accept.

This is broken.

How to Install Centmin Mod on #AlmaLinux #VPS (5 Minute Quick-Start Guide) Here's a detailed step-by-step guide on how to install Centmin Mod on AlmaLinux VPS server.
What is Centmin Mod?
Centmin Mod is a shell-based, menu-driven installer that automates the deployment of a LEMP (Linux, Nginx, MariaDB/MySQL, PHP-FPM) stack on CentOS, AlmaLinux, and Rocky Linux servers. Designed for efficiency and performance, it ...
Continued https://blog.radwebhosting.com/how-to-install-centmin-mod-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.raddemo.host #csf #centminmod #letsencrypt #php

certbot on Debian Bookworm fails with: The peer didn't know the key we used

https://andreas.scherbaum.la/post/2025-06-09_certbot-on-debian-bookworm-fails-with-the-peer-didnt-know-the-key-we-used/

My current conspiracy theory: Now that #letsencrypt has more or less destroyed the market for domain certificates and people are more interested in using client/user certificate, Google throws the market a lifeline by removing clientAuth from acceptable certificates in the browser context with some vague "it's about security" arm waving. #NerdTalk

1/4

Nutzt du Client Authentication mit TLS-Zertifikaten?

Auf R11 folgt R10?

Mein #Zabbix meldet, daß sich der Issuer eines Zertifikates geändert hat:

2025-06-05 08:06:00 PM 1749153960 "C = US, O = Let's Encrypt, CN = R10"
2025-06-04 08:05:59 PM 1749067559 "C = US, O = Let's Encrypt, CN = R11"

How to Install Centmin Mod on #AlmaLinux #VPS (5 Minute Quick-Start Guide) Here's a detailed step-by-step guide on how to install Centmin Mod on AlmaLinux VPS server.
What is Centmin Mod?
Centmin Mod is a shell-based, menu-driven installer that automates the deployment of a LEMP (Linux, Nginx, MariaDB/MySQL, PHP-FPM) stack on CentOS, AlmaLinux, and Rocky Linux servers. Designed for efficiency and performance, it ...
Continued https://blog.radwebhosting.com/how-to-install-centmin-mod-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #csf #centminmod #php #letsencrypt

Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

Update: it also breaks the connections between domain registrars and registries, with most being unaware that there even is a problem at this time, let alone the crazily short timeframe. See the thread linked to in a self-reply, which also confirms that the CA/Browser forum is supporting Google in this (possibly by means of Google paying, my interpretation).

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

yet another ACME client, based on uacme: https://github.com/llfw/lfacme

good:
+ uses uacme and POSIX /bin/sh
+ better configuration/hook system than dehydrated
+ comes with manpages
+ small and simple
+ supports Kerberized dns-01 domain validation

bad:
- only supports Kerberized dns-01 domain validation (but this could be improved)
- only tested on FreeBSD (but this could be improved too)

/cc @_bapt_

Anyone with experience of using #dehydrated to request #TLS certificates from #LetsEncrypt?

Thanks to the support team at @beasts (thanks Alex) I've corrected my fat finger error in the config and I can see that the correct DNS records appear to be created in my public DNS zone but then the dehydrated client just times out after a good 5 minutes with `challenge record not found in DNS`.

I'm currently trying to use the LE staging environment so I don't hit any limits that might break any of my existing http auth certs.

Weird thing that `certbot delete`seems to be the simplest and fastest command to get a list of the #letsencrypt certificates my web server manages.

UPDATE: Thx to the replies, I implemented the change for all my domains, did a `certbot renew --dry-run` and that succeeded. Yay to a cleaner config :)

#NerdQuestion. When I move {server [...] } blocks in `/etc/nginx/nginx.conf` to separate files in the `/etc/nginx/conf.d` directory, will certbot still find them and will automatic renewals just keep working as before? Anyone with experience on that?

Just requested that Auto Encrypt¹ is added to the list of @letsencrypt clients for Node.js and that Kitten² is added to the list of projects that integrate Let’s Encrypt support:

• https://github.com/letsencrypt/website/pull/1921
• https://github.com/letsencrypt/website/pull/1922

I originally requested that Auto Encrypt and Site.js (the precursor to Kitten, now sunset) be added to the list in 2021. It was not approved (no reason given), so hopefully this time will be different.

https://github.com/letsencrypt/website/pull/1203

¹ https://codeberg.org/small-tech/auto-encrypt
² https://kitten.small-web.org