On 6/23/21 12:09 PM, Per Jessen wrote:
Marc Chamberlin wrote:
On 6/23/21 1:09 AM, Dave Howorth wrote:
On Tue, 22 Jun 2021 17:38:16 -0700 Marc Chamberlin <marc@marcchamberlin.com> wrote:
I feel that your message is probably important, so I tried to understand it but failed :(
Certbot automatically updated some security certificates on one of my systems (Nova) I started getting lost here. What is Nova? OH! Sorry!!! Nova is the name of one of my computers. I did get that bit, but I was thoroughly confused about the rest. I have difficulty imagining how certbot updating some certificates should cock up all kinds of services for you. I have certbot renewing customer certs twice a day, works very well for hundreds of them.
Per - I am trying to dig into this further also because, for example, I am not sure why the automount service, should even care about certificates. And I will offer to say that this could all be a red herring of some kind and I may have a problem elsewhere. Anywise from what I am observing, let's say Computer A is running some services and it also has some security certificates from LetsEncrpyt that gets automatically updated. There is no problem as far as Computer A is concerned. Now Computer B comes along and has a client that wants to connect to a service on computer A. In order to establish a secure connection to Computer A, Computer B's client presents a cached copy of the certificate that Computer B has for Computer A, to Computer A. But the certificate from Computer B is now out of date and Computer A refuses it. Many, if not most of the clients on Computer B, that want an encrypted connection, such as the ones I previously mentioned in my first email, don't handle this condition very well. Only the SSH client, on Computer B, offers to tell you how to delete the old cached copy and update Computer B's cached copy with the new version of Computer A's new certificate. Other clients just drop the ball and spout off some generic B.S. error message complaining they cannot make the connection to Computer A. "No route to host" or even worse "AUTH method LOGIN failed from network" are a couple examples of such B.S. I have come across. How helpful is that? So my question is, who should have the responsibility for presenting a decent error message, the O.S. itself, or each client/server app? In other words who do I belly ache to? BTW IMHO the error message from the ssh client is pretty decent and I got no complaints with it! Empherical observations have shown a pattern where once I synchronize the cached copy of an outdated certificate with the updated version, the problems I was chasing down went away most of the time. I just thought I would bring this issue up as a topic for conversation, now that I have what appears to be a solution, (check with and use SSH to update cached certificates) this is not a pressing issue for me anymore and I will move on and monitor what happens if anyone want to run with this issue. Marc... -- *"The Truth is out there" - Spooky* *_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed. My public key for sending encrypted email to me can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand, no worries, just ignore it and/or ask me to explain it further./)