On 2016-05-10, Ingo Schwarze <schwa...@usta.de> wrote: > Hi Kristaps, > > Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > >> (1) download ... couldn't find ... didn't require bash >> (2) aforementioned script in a cronjob >> (2b) user to have access to >> (3) doas rule >> (4) doas rule >> (5) [another?] script from a cronjob > > You must be joking, Mr. Feynman. > Ingo > >> anything in those directories is toxic. > >
It's still relatively young and the clients are improving. And even with this sort of thing it's *still* better than a common alternative: Open a web browser. Login to CA. Maybe enter a credit card number. Have them send you an email to "prove" domain ownership. Hope it gets through spam filters (and greylisting if you use it). Generate new key and CSR. Paste in CSR. Maybe wait for CA to approve issuance. Paste new cert into webserver/s. Figure out which chain certs to paste in. Avoid screwing up keys when you change from the old one. Figure out that CA's OCSP responder hasn't updated yet when firefox fails, back out, then reinstate later. etc.
