How Apache ACME (mod_md) gets you a new certificate:
1. all ACME communication are done as unprivileged user
2. all certificates from the CA are parsed as unpriviledged user before storing them
3. activation, as priviledged user, parses again before replacing production as a last fail safe.
Since 2017.
Typical over-engineering. What are the chances a CA sends you a borked file?
Stefan Eissing /
npub179…nr96e
2024-07-22 09:12:39
Author Public Key
npub179eu5lkc7wklv8f44w6fz4qpc8gpkk2x8e32k7ha43pgvyj4jkqqqnr96ePublished at
2024-07-22 09:12:39Event JSON
{
"id": "a7841cd28787fa597832c51a365c75335aa18bc6ae3d60399e18fefd1b87f984",
"pubkey": "f173ca7ed8f3adf61d35abb4915401c1d01b59463e62ab7afdac428612559580",
"created_at": 1721639559,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/users/icing/statuses/112829370177074835",
"activitypub"
]
],
"content": "How Apache ACME (mod_md) gets you a new certificate:\n\n1. all ACME communication are done as unprivileged user\n2. all certificates from the CA are parsed as unpriviledged user before storing them\n3. activation, as priviledged user, parses again before replacing production as a last fail safe.\n\nSince 2017.\n\nTypical over-engineering. What are the chances a CA sends you a borked file?",
"sig": "7e5205e13d70e9920e8d4bc2ab0727deca6379b972a15327aeda05570fb877dada59fd95073f8e9aff0df95bb0d5c67365314914b431543663136c2a690b5c48"
}