Neal Gompa wrote:
> I'm not going to get into this too much, but suffice to say, it's not
> universally accessible as a CA.
I would very much be interested in those details though. I do not see 
anybody being excluded from Let's Encrypt, not even countries under US 
embargo (e.g., over 300000 sites in Iran are apparently using it 

> And using Let's Encrypt for private mirrors is sufficiently painful that I
> wouldn't recommend it.

Set up a subdomain like, point it to the public IP, then 
configure the VPN's internal DNS to resolve to the VPN-
internal address instead, the /etc/hosts on the VPN server itself to resolve 
it to, and the mirror server on port 443 (whereas port 80 is 
reserved for certbot's builtin temporary (and world-readable) webserver with 
the http-01 challenge) to accept connections only from the VPN and from 
localhost and to use the Let's Encrypt certificate. Been there, done that 
(not for a repository mirror though, my employer is small enough for that 
not to be worthwhile). I assume that this approach should also work for a 
physical LAN in lieu of the VPN.

> There have been attempts to fix things, but Panu doesn't feel
> qualified to review the changes. That doesn't mean someone else who
> would be willing to do so couldn't. But because of... reasons, as long
> as it's in the RPM codebase, it's unlikely someone else will be
> trusted enough to do those reviews.

I see. So splitting might be worthwhile then. Assuming someone will care 
enough to actually maintain the code.

        Kevin Kofler
devel mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

Reply via email to