On Sat, Feb 11, 2017 at 09:50:13AM +0100, Klaus Ethgen wrote:
> Am Di den 31. Jan 2017 um 19:35 schrieb Klaus Ethgen:
> > the SSL certificate for website devuan.org is invalid again and does not
> > match the one in TLSA record.
>
> That problem gets serious now. I even cannot access www.devuan.org
> anymore.
>
> On all pages I get certificate mismatch. There seems to be one that is
> impersonalizing devuan.org with a faked Let's Encrypt certificate.
>
> The Fingerprint I get currently from the website is:
> CF:C6:BE:F8:22:E5:30:16:3A:50:3B:1A:B8:99:FC:9D:83:B3:E5:38
>
> And tlsa verification gives:
> ~> tlsa --verify www.devuan.org
> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (46.105.191.76)
> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (2001:41d0:8:2c55::a1)

For now you can abuse a different failure: "devuan.org" (aka, the nice
no-www compliant name) is missing the TLSA record.

As for the one on www.devuan.org:
_443._tcp.www.devuan.org. 3600    IN    TLSA    3 0 1 B91B36D5929A8617EE57781C35620B1FED8BDC653F9A29EA73177365 30A15EBF

Sorry but a Selector:0 (full cert) record is not going to work with Let's
Encrypt unless you do a complex dance: renew the cert but not install it,
calculate and publish both old and new TLSA records, wait two TTLs, install
the new cert, drop the old record.

Using Selector:1 (SubjectPublicKeyInfo) on the other hand works nicely as
long as you don't regenerate the private key on renewal -- dehydrated does
this if you set PRIVATE_KEY_RENEW=yes; there's AFAIK no way to do so with
certbot.


Meow!
--
Autotools hint: to do a zx-spectrum build on a pdp11 host, type:
./configure --host=zx-spectrum --build=pdp11