Hi Carlo, Thanks for fixing the Cc: addresses. I should not have included the bug filing address in my reply.
On Sun, Apr 14 2024, Carlo Zancanaro wrote: > We could avoid generating unnecessary self-signed certificates by first > checking if we already have certificates from certbot, and creating the > symlink straight away if we can. That would seem wise to me. > The current code uses the rsa-key-size from the > <cerbot-configuration>, or 4096 if that is unset (the default). This > is probably [excessive] given we don't actually need, or want, to use > the initial certificates. > > We could instead use the smallest key size that openssl supports (512?). Like you, I asked myself why those self-signed certificates, which are mostly useless, would be 4096-bit strong. I am more offended, however, that they were generated with a lifetime of just one day. What happens if certbot is not yet configured, and the sysadmin forgot to do so for a few days? A long time span, such as ten years (3650 days) might be more appropriate for the fallback certificates. By the way, in Debian we call them "snake oil". I believe they are present on all systems. Kind regards Felix
