On 23.07.2017, at 09:27, Reimar Döffinger <reimar.doeffin...@gmx.de> wrote:
> On 21.07.2017, at 15:31, Ricardo Constantino <wiia...@gmail.com> wrote: > >> On 18 July 2017 at 02:12, Gerion Entrup <gerion.entrup.ff...@flump.de> wrote: >>> Am Dienstag, 18. Juli 2017, 01:52:53 CEST schrieb Reimar Döffinger: >>>> On 18.07.2017, at 00:59, James Almer <jamr...@gmail.com> wrote: >>>> >>>>> On 7/17/2017 7:49 PM, Moritz Barsnick wrote: >>>>>> On Mon, Jul 10, 2017 at 13:53:02 +0300, Boris Pek wrote: >>>>>>> Latest news about this topic: >>>>>>> https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/FKXe-76GO8Y >>>>>> >>>>>> Ah, thanks, I neglected to report this, because I thought it was an >>>>>> issue with my Opera Developer (48), which uses the Chrome engine. Opera >>>>>> (like Chrome) recently reports ffmpeg.org's certificate as revoked, but >>>>>> I found no tool which could verify this... >>>>> >>>>> The cert is by StartCom. Afaik everyone blacklisted certs issued by them >>>>> after a certain date, and now some, like Google, are also blacklisting >>>>> certs issued before that date as well. >>>>> Mozilla hasn't done the latter yet, so Firefox doesn't complain about >>>>> it, but i guess a new cert is overdue. >>>> >>>> New certs are already being generated, but nobody had the time to do the >>>> transition, there is a risk of the automation failing >>>> (I think the web server needs to be made to reload the certificate, which >>>> is problematic as an ordinary user and there is no way I'd ever run any of >>>> that letsencrypt stuff as root), >>> This seems to work as cronjob: >>> ``` >>> #!/bin/sh >>> >>> su -c "certbot renew 2>/dev/null | grep 'No renewals' >/dev/null" >>> letsencrypt -s /bin/bash >>> if [ $? -eq 1 ]; then >>> service nginx reload >>> fi >>> ``` > > This is what scares me most: people running things as horrible as certbot > (written by people who think it is ok to download and install a compiler > without even asking before on a web server) AS ROOT. > These things have no reason to and should not be designed to run as root. > Anyway, the switch is done, but it might be good if at least one other person > monitors certificate validity, if it ever goes below 20 days something went > badly wrong. Btw the comodo certificate Michael mentioned is a domain-validation certificate for 7x the price of what startcom asked for a personal validation certificate (which almost nobody else even offers, just for organizations). That's the CA system in a nutshell: highway robbery prices spiced with the laughable security track record you get for it. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
