On 2021-05-13 13:05, Andreas Fink wrote:
Jeroen Massar wrote on 13.05.21 10:46:
On 2021-05-13 11:29, Andreas Fink wrote:
Hello all,
I need to get some SSL certificates for some african country operations and i can unfortunately not use letsencrypt for this.
Any reason? What are your requirements?
the mailserver I use, does not support ACME setup. I can only do old style SSL certificate requests. for the webserver its not an issue though.
You could get the certs from LE/ZeroSSL every 90 days and replace them by hand.... does not scale, but works ;)
But there are thousands of CAs, just check the list.
Would ZeroSSL (https://zerossl.com) who also do ACME work?
No. ACME is the issue. And ZeroSSL is hosted in the US on cloudflare with a cloudflare SSL certificate. So by definition not DSGVO conform as NSA could theoretially infiltrate cloudflare to infliltrate all my certs etc. etc. It might be far fetched but since snowden, we know that many things we considered far far far fetched are not anymore.
You have the private key and that does not leave the box unless you do that, thus unless there is some crypto that is broken, they can't do much with that. If they have broken crypto some way, then it applies to everything and we are generally screwed. I am not aware of such a thing at this point in time.
All certs are logged in Certificate Transparency (see for instance https://ct.cloudflare.com/) thus the source should not matter.
The US unfortunately is where most corporations&monopolies are based; companies in the rest of the world fall under bilateral exchange laws.
Thus if one is afraid of the US, it is game over, one will have to disconnect from this Internet thing as their influence (code/hardware/legal/people) is everywhere.
For me at least that is not a threat, your model might include it it seems.
You more have to be afraid of the Googles of the world, considering they control the browser trust store: https://thehackernews.com/2017/07/chrome-certificate-authority.html as a quick random example...
(yes people, Let's Encrypt is not the only game... if you do ACME for your systems, also setup zero ssl and issue certs from both places at the same time, just in case LE ever has an issue, though that will be resolved rather quickly with 72% marketshare (https://ct.cloudflare.com)
Cloudflare's juristiction is definitively a red flag for me.
As above, I'll give a little link: https://www.coe.int/en/web/criminal-law-coop/bilateral-cooperation
US law is enforced everywhere, we (.ch) fortunately/hopefully have judges that protect from overreach though.
I was trying to get a certificate from Swissign for this but for some reason they refuse issuing certificates to domains for Guinea and Guinea Bissau
Do you need org validated or something that the country matters?
no. I simply need the domain be in that country. The holder of the domain can be myself in switzerland or one of the entities in Africa which is not on the blacklist (which is actually what I tried). Swisssign put the certificate under embargo because the domain ending contained .gw and .com.gn. Thats all. And I don't want to buy a domain for every mailserver separately, thats why I want a multidomain certificate. As it has to be renewed every years its painfully enough already.
Sounds like upgrading software or fronting it with a proxy is the way to go, as then you can do like the rest of the world (well 72%): LE....
An alternative option would be to use DANE/TSLA, then you can provide a self-signed certificate. Watch out with setting up MTA-STS in that case though.
At that point though, you already have new software that should be able to handle ACME certificates (read: being able to reconfigure the SSL cert in a scripted manner).
Greets, Jeroen
PS: Don't hesitate to provide details of the setup off-list and we can see what we can do if you want to go the LE route.