admin/letsencrypt-domains, branch master torproject letsencrypt domains retire old tb-build-04 and -05 servers (tpo/tpa/team#41367) 2023-10-31T14:49:45+00:00 Antoine Beaupré anarcat@debian.org 2023-10-31T14:49:45+00:00 632e43ca273b316519b425deab361aefce847e20 






add tb-build-0[23] certificates (tpo/tpa/team#41304)
2023-09-07T16:00:07+00:00

Antoine Beaupré
anarcat@debian.org

2023-09-07T16:00:07+00:00

c739e6fa41475fb710442bcb89faca16485adb09












fix rdsys test vhost, again
2023-08-30T17:13:48+00:00

Antoine Beaupré
anarcat@debian.org

2023-08-30T17:13:48+00:00

20187d7ac08f288edb4150132ee4d32f575b9535












generate TLS cert for rdsys staging server (tpo/tpa/team#41297)
2023-08-30T17:01:10+00:00

Antoine Beaupré
anarcat@debian.org

2023-08-30T17:00:46+00:00

3c28d57708f6289c62b21d971bc7fe1c7f38f51b












Add metrics-api.tpo
2023-08-25T14:36:56+00:00

Silvia/Hiro
hiro@torproject.org

2023-08-25T14:36:56+00:00

2458906a4dac3e324fb5feeb6982ffc235ee55f4












add a domain name for the container registry (tpo/tpa/gitlab#89)
2023-07-12T18:29:57+00:00

Antoine Beaupré
anarcat@debian.org

2023-07-12T18:26:36+00:00

5d3240b6370b8d69ad0ac318fa329fdbb64661e1

We pick `containers` here instead of `registry` because there could
clearly be a case made for a `registry` that's not specific to GitLab,
Docker, TPA, or anything internal like this. `registry` is way too
generic of a name, while `containers` says what it is, it's a
repository of "containers" ("images" is implied here, of course).





We pick `containers` here instead of `registry` because there could
clearly be a case made for a `registry` that's not specific to GitLab,
Docker, TPA, or anything internal like this. `registry` is way too
generic of a name, while `containers` says what it is, it's a
repository of "containers" ("images" is implied here, of course).







Add donate-review domains
2023-07-12T18:24:40+00:00

kez
kez@torproject.org

2023-07-12T18:24:25+00:00

29ae21c81641bc10b782dcd8b60fedcf261d0f8a












stop appending DH PARAMS to certificates files
2023-07-11T20:32:44+00:00

Antoine Beaupré
anarcat@debian.org

2023-07-11T20:32:44+00:00

2e1a0f753be4f33d11a8db33a4e7cd36d0a917cf

This is crashing the Golang crypto/tls library which doesn't support
DH exchanges and argues instead for ECDH exchanges instead:

https://github.com/golang/go/issues/38788

Furthermore, it doesn't make sense to embed the DH parameters on
certificates in the first place, according to this:

https://stackoverflow.com/a/58221273

Quote:

> There is nothing like DH parameters in a certificate.
>
> DH is only one of ways how a public key can be used. You may
> generate a DH public key with specified length (e.g. 2048 bit) and
> execute the DH exchange, but it has nothing to do with certificate
> parameters. (didn't you mean to generate a keypair, not a
> certificate?).
>
> Indeed the DH key exchange needs other parameters (p, g), but the
> parameters are part of the protocol, not the certificate. In TLS
> even the DH parameters can be random and authenticated by the
> certificate's public key - it is called Ephemeral Diffie-Hellman key
> exchange.
>
> You could generate DH parameters (p, g) separately:
>
>     openssl dhparam -out dhparams.pem 4096

I believe that if those are not provided with the certificate, the
default system-wide ones (`/etc/ssl/dhparam.pem`) will be used, and I
think that's fine for our cases.

In any case, I agree with golang that we should just ephemeral DH
parameters anyway.

Partly related to the ciphersuites improvement as
well (tpo/tpa/team#32351).





This is crashing the Golang crypto/tls library which doesn't support
DH exchanges and argues instead for ECDH exchanges instead:

https://github.com/golang/go/issues/38788

Furthermore, it doesn't make sense to embed the DH parameters on
certificates in the first place, according to this:

https://stackoverflow.com/a/58221273

Quote:

> There is nothing like DH parameters in a certificate.
>
> DH is only one of ways how a public key can be used. You may
> generate a DH public key with specified length (e.g. 2048 bit) and
> execute the DH exchange, but it has nothing to do with certificate
> parameters. (didn't you mean to generate a keypair, not a
> certificate?).
>
> Indeed the DH key exchange needs other parameters (p, g), but the
> parameters are part of the protocol, not the certificate. In TLS
> even the DH parameters can be random and authenticated by the
> certificate's public key - it is called Ephemeral Diffie-Hellman key
> exchange.
>
> You could generate DH parameters (p, g) separately:
>
>     openssl dhparam -out dhparams.pem 4096

I believe that if those are not provided with the certificate, the
default system-wide ones (`/etc/ssl/dhparam.pem`) will be used, and I
think that's fine for our cases.

In any case, I agree with golang that we should just ephemeral DH
parameters anyway.

Partly related to the ciphersuites improvement as
well (tpo/tpa/team#32351).







make a cert for minio (tpo/tpa/team#41257)
2023-07-11T19:37:03+00:00

Antoine Beaupré
anarcat@debian.org

2023-07-11T19:37:03+00:00

624dbdd0057079a5f0139673668a16f15fa24024












Partially revert "retire forum-test-01 (tpo/tpa/team#41238)"
2023-06-28T15:30:23+00:00

Antoine Beaupré
anarcat@debian.org

2023-06-28T15:30:23+00:00

bba6096c08d3f98917f5fb63858173b35bc097e7

Surely the first hunk in that patch was a typo...

This partially reverts commit 71484562801c5120a84fc9d04fbf37e64bc38ae6.





Surely the first hunk in that patch was a typo...

This partially reverts commit 71484562801c5120a84fc9d04fbf37e64bc38ae6.