Let's Encrypt TLS project: seeking nginx configuration module help

B.R. reallfqq-nginx at yahoo.fr
Wed Nov 11 17:28:01 UTC 2015 

This script has nothing to do with nginx, it is the one used for
certificate request generation to Let's Encrypt.

They intend to use certificate with shorter and shorter lifespans as the
process is considered more and more robust, to fight against compromised
certificates in the wild. Thus, automating the process is a good idea as
manual installation could become a huge burden, not to mention manual
request/generation.
For the moment, the only way with nginx is to only request certificates and
install them yourself manually afterwards. It could be automated somehow,
depending on the Let's Encrypt script outcome, and then moving certificate
files around + issuing nginx reload. It might be a compromise to avoid
generated certificates go live without your own proper validation.

I suggest you complain about the use of python on the Let's Encrypt board
<https://community.letsencrypt.org/> directly. I was merely trying to bring
the attention of nginx experts on this topic, as a thorough understanding
of nginx' way of working is in my eyes necessary. Your complaint has little
impact/use here.

For the security concern you are talking about, the fact the script is
open-source and provided to the eyes of the whole world
<https://github.com/letsencrypt/letsencrypt> allows you to carefully review
its code before using it, as one should do it. Open-source works only if
you validate libraries you use (or if you take the risk the community does
it for you, with no complaint from your side then).
---
*B. R.*

On Wed, Nov 11, 2015 at 4:07 PM, 173279834462 <nginx-forum at nginx.us> wrote:

> > They are currently struggling with their nginx module,
> > allowing a certificate to be automatically installed on nginx.
>
> Would you really use that script?
>
> 1. It requires python. --- I do not have python on my server,
> and I have no intention to install it. You can kick and scream,
> but that will not change my decision. If nginx will demand
> python to run, I will drop nginx for something I trust more.
>
> 2. Assuming *you* have python on board, and something
> breaks. Say, the script is hacked and you server installs
> something else than your intended certificate. Are you
> ready to pay for the damages?
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,262697,262746#msg-262746
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20151111/b10b8d68/attachment.html>

More information about the nginx mailing list