La durée de validité des certificats SSL/TLS va être drastiquement réduite dans les années à venir :

- Actuellement, la durée maximale est de 398 jours
- À partir de mars 2026, elle passera à 200 jours
- À partir de mars 2027 : 100 jours
- À partir de mars 2029 : 47 jours

Die maximale Laufzeit von digitalen Zertifikaten für verschlüsselte Verbindungen zu Web- und anderen Servern wird sich künftig drastisch verkürzen. Im Jahre 2029 sind diese statt mit 398 Tagen nur noch mit 47 Tagen Laufzeit ausgestattet.

Zum Artikel: https://heise.de/-10352867?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#ItWasDNS
Well… in fact, it was /me not installing the #LetsEncrypt renew script and daemon reload cron so that #DNSoverTLS works properly over time.

I have never received as many emails from Let's Encrypt in the past as the ones they are currently sending about discontinuing email notifications #letsencrypt

Warum eigentlich ist #LetsEncrypt so arschig und stellt die Zertifikats-Erinnerungs-Mails ein?
Weil teuer? Echt jetzt?

Oh hey, CAA records really work

Switched one site from paid TLS certificate to LetsEncrypt and forgot to update DNS record. As expected, LetsEncrypt looks at and refuses to issue a certificate if CAA lists other issuer. Nice

Do any email sysadmin understand what's the difference between StartTLS and x509 scores in the MECSA report?
How to go from orange to green score? What requirements must the certificate have and is it possible with LetsEncrypt?

relevant links https://mecsa.jrc.ec.europa.eu/faq#section2 and https://mecsa.jrc.ec.europa.eu/en/technical#x509

"When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for six day certificates through ACME profiles and dynamic renewal at:

- 1/3rd of lifetime left
- 1/2 of lifetime left, if the lifetime is shorter than 10 days"

https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs

From @eff on the "Blue Bird"

#Certbot 4.0 is out and now supports short-lived certificates ! Offering shorter renewal periods.
https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs

Sounds like we’ll need a EU-based alternative to #letsencrypt:

https://thelibre.news/trump-cuts-funding-to-foss-projects/

"Trump cuts funding to FOSS projects

So far he hasn't been successful, but it might simply be a matter of time."

Much earlier than I expected.

How to Install Centmin Mod on #AlmaLinux #VPS (5 Minute Quick-Start Guide) Here's a detailed step-by-step guide on how to install Centmin Mod on AlmaLinux VPS server.
What is Centmin Mod?
Centmin Mod is a shell-based, menu-driven installer that automates the deployment of a LEMP (Linux, Nginx, MariaDB/MySQL, PHP-FPM) stack on CentOS, AlmaLinux, and Rocky Linux servers. Designed for efficiency and performance, it ...
Continued https://blog.radwebhosting.com/how-to-install-centmin-mod-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #letsencrypt #php #csf #centminmod

Random #SelfHosting tip for any who might be interested:

If you use #GetSSL to get your #LetsEncrypt certs, you'll get four files:

* The key (example.com.key)
* The domain cert (example.com.crt)
* The CA cert (chain.crt)
* The "full chain" cert (fullchain.crt)

Make sure to use the full chain cert, *not* the domain cert, when setting up your server. Otherwise some services will give you "unknown authority" errors.

How to Install Centmin Mod on #AlmaLinux #VPS Here's a detailed step-by-step guide on how to install Centmin Mod on AlmaLinux VPS server.
What is Centmin Mod?
Centmin Mod is a shell-based, menu-driven installer that automates the deployment of a LEMP (Linux, Nginx, MariaDB/MySQL, PHP-FPM) stack on CentOS, AlmaLinux, and Rocky Linux servers. Designed for efficiency and performance, it streamlines the installation and ...
Continued https://blog.radwebhosting.com/how-to-install-centmin-mod-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #php #centminmod #letsencrypt #csf

#Nextcloud auf einem #RaspberryPi ist sehr tricky, wenn man etwas verändert. Ich hatte sie jetzt einige Tage wunderbar laufen, habe nach langem Recherchieren die #Portfreigabe an der #Fritzbox geändert, um von #Letsencrypt ein SSL-Zertifikat zu bekommen - jetzt sind zwar die Ports offen, aber Zertifikat klappt trotzdem nicht und #Apache läuft auch nicht mehr. Ich steige gerade nicht mehr durch und frage mich, wieviel Zeit ich noch darauf verwenden will. jemand hier mit Erfahrungen?
#unplugtrump

Un Ordine Esecutivo di #Trump blocca i pagamenti all'#OpenTechnologyFund. Da essi dipendono servizi #FOSS critici come #FDroid, #TOR e #LetsEncrypt. Abbiamo bisogno di un impegno serio da parte dell'Unione Europea nello sviluppo di alternative FOSS prima possibile, è seriamente una questione di sicurezza molto più che di principio.
https://www.dday.it/redazione/52530/trump-fara-saltare-il-negozio-open-source-android-f-droid-e-la-rete-tor

Let's Encrypt

In https://infosec.exchange/@aral@mastodon.ar.al/114224524044750719 @aral wants us to pay taxes to keep Let's Encrypt "alive". Here's another reason NOT to do that.

Apparently the *.eu.org domain needed laundrying because it's reputation became too bad. So scammers create zillions of insane domain names and obtain *FREE* (for them) certificates for those sites. Usually such sites are not malicious; they're intended to have virusscanners remove detection, eventually for the sub-TLD ".eu.org".

To see this, you may consider opening
https://crt.sh?q=eu.org
but that will fail because there are WAY too many results.

To restrict the amount of records, try a subdomain name and further restrict output by deduplicating and restricting to not expired, as follows:

https://crt.sh/?Identity=madaline.eu.org&exclude=expired&deduplicate=Y

The screenshot below gives an idea (they're all Let's Encrypt certs by the way, and I marked one with an insane domain name).

I wrote about this phenomenon before, e.g. in https://www.security.nl/posting/781057/Let%27s+Encrypt+git_git_git___ (at the time I did not understand why yet).

VirusTotal knows of 72.5K direct subdomains of *.eu.org:

"Subdomains (72.5 K)"

(open the RELATIONS tab in https://www.virustotal.com/gui/domain/eu.org/).

@TheDutchChief @EUCommission @letsencrypt @nlnet

»Unsicherheit – US-Kürzungsrausch gefährdet für das Internet wichtige Open-Source-Projekte:
Die neue US-Regierung entzieht dem Open Technology Fund (OTF) die Mittel. Von diesem sind unter anderem @letsencrypt, @torproject und @fdroidorg finanziell abhängig. Der OTF hat Klage eingereicht«

Sehr heikel und es petrifft, wenn auch "nur" indirekt, alle Menschen auf der Erde. Der Egoismus eines Irren kann uns alle betreffen!

https://www.derstandard.at/story/3000000263520/lets-encrypt-tor-trump-kuerzungen-gefaehrden-fuer-das-internet-wichtige-open-source-projekte

Instead of relying on the US, the @EUCommission could have spent the equivalent of one or two state dinners on creating an EU based alternative to #LetsEncrypt. They still can :) cc @EC_DIGIT