[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36998: [PATCH] services: certbot: Add --manual-public-ip-logging-ok
bug#36998: [PATCH] services: certbot: Add --manual-public-ip-logging-ok for manual challenges
Mon, 16 Sep 2019 10:23:06 +0200
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
Carlo Zancanaro <address@hidden> skribis:
> On Wed, Sep 11 2019, Ludovic Courtès wrote:
>> Perhaps we should pass --manual-public-ip-logging-ok only when
>> ‘challenge’ has the expected value (DNS challenge type; what’s the
>> value for that?), and also document that prominently in the manual?
> My understanding is that this flag is necessary for any manual
> challenge type, it's just that our default HTTP challenge doesn't use
> a "manual" challenge type. For a DNS challenge the value for challenge
> should be "dns".
> I was a little torn about documenting it in the manual, because using
> the manual IP logging doesn't leak any more information than the
> standard HTTP challenge type.
True. The only difference is that the Let’s Encrypt operators
explicitly state that they will log the IP address in this case, whereas
they may not do it otherwise.
> There is a certbot issue discussing the problem for manual
> challenges, and the problem is when one requests the certificate
> from a different machine to the one that will use the
> certificate. This doesn't seem to be the natural use case for the Guix
> certbot-service-type, so I didn't feel it was necessary to add it to
> the manual. I'm also fairly sure that the logged IPs are not publicly
> available at the moment, based on this and this.
> Given all of that, I have attached a patch with a small update to the
> manual. I don't think I'd describe it as "prominent", but it does
> mention it in an appropriate place.
Yeah, there wasn’t any reaction, so it’s probably good enough. I’ve
applied it now, thank you!