You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
The recent @letsencrypt shutdown of TLS-SNI-01 validation (due to idiotic hosting providers) is very disappointing. It was by far the most convenient, hands-off, universal validation mechanism. https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 …
DNS-01 requires making all my DNS zones dynamic, which is a PITA and increases complexity. HTTP-01 requires pre-provisioning site configs and having a mutable webroot. TLS-SNI-01 was great because it didn't clash with actual production configs at all so it always worked.
The closest thing to the previous hands-off behavior I can think of is using iptables to send port 80 to some other port, and deploying an nginx config that passes that through to port 80 on self except for the well-known ACME paths. But ugh.
I guess a less ugly method would be to have the default vhost serve the ACME challenges and then having an include to add that functionality in every additional port 80 vhost. Still ugh.
That's what I mean. But that still means additional configuration in every vhost. With TLS-SNI-01 it was completely transparent with zero additional configuration - I just had the certbot plugin automatically create and remove dummy standalone vhosts to serve the challenge certs.
No certbot code was touching my web server anyway - I had written a plugin to just call a shell script that creates configs in /etc/nginx/sites.d and then removes them.https://github.com/marcan/certbot-external …
I feel ya. I've been super sad on twitter about this the past few days.
Note that this predated --manual-auth-hook/--manual-cleanup-hook (which mostly do the same thing, but worse) and https://github.com/EnigmaBridge/certbot-external-auth … (whose handler mode is apparently inspired by my plugin - TIL)
Is there any way to make a tls-sni-03 that doesn’t suffer from the same issue? I’m thinking not. The DNS just doesn’t give you the information to distinguish between the site owner and anyone on the same server - except through what it serves for the domain itself.
(but of course you don’t want to have to swap out the site’s cert entirely.)
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
