On Wed, Apr 1, 2015 at 8:51 AM, Stephen Farrell <[email protected]> wrote: > > > On 01/04/15 13:38, Ben Laurie wrote: >> On 1 April 2015 at 13:19, Stephen Farrell <[email protected]> wrote: >>> >>> And in a happy ending for this thread, when I whacked in >>> the new cert today it all worked. >>> >>> Interestingly, there was a point where it was fine in all >>> but one browser - that lasted an hour or so before they >>> were all ok, not quite sure why, but there's clearly more >>> going on with ocsp caching than I know about;-) >> >> Are you sure it wasn't the intermediate problem you were originally >> investigating? > > I am sure in the sense of "I did what the forum post said and > it worked," yes:-) [1] > > And while the CA has produced a new chain, the old intermediates > chain works fine and is what's in place now and working with all > browsers. I did check the new chain differs from the old one, but > I didn't bother checking exactly how, other than the dates. So I > guess it really was OCSP. > > But from the acme POV, it doesn't really matter what was going on > in the OCSP infrastructure - the point was that the renewal process > didn't take that into account at all, leading to user-visible errors. > Bleh. And something where we can do better with acme now we (well, > some of we), know how OSCP caching happens in CDNs and all that. > (Or, as Rob said, we could go all stapled with acme maybe.)
One of the reasons that I do not like unnecessary complication or variation is that it leads to this sort of situation. Right now most servers are administered in bespoke fashion and so the variation in configuration can be quite large. Automating the process takes the human out of the loop and makes it much easier to get consistent results. It is the same problem I have with UNIX admin. Anyone who has ever tried to administer a machine where the previous sysadmin has spent their time trying to make Ubuntu look like Solaris and reorganized the directories accordingly will know what I mean. Every administration action becomes a hunting expedition. Is the file in the usual place or was it moved? Today I am going to have to spend a couple of hours changing a code generator because someone thought "x5c#256" was a good name for a structure id. Sure, this is legal JSON but why make unnecessary work? I now have to implement a hack to serve as a work around. And every other implementer is also going to have to do a work around. And that means that all our APIs are going to be a little different when they should have been the same. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
