[FFmpeg-devel] SSL certificate for ffmpeg.org website is not valid anymore
Gerion Entrup
gerion.entrup.ffdev at flump.de
Sun Jul 23 16:34:27 EEST 2017
Am Sonntag, 23. Juli 2017, 09:27:06 CEST schrieb Reimar Döffinger:
> On 21.07.2017, at 15:31, Ricardo Constantino <wiiaboo at gmail.com> wrote:
>
> > On 18 July 2017 at 02:12, Gerion Entrup <gerion.entrup.ffdev at flump.de> wrote:
> >> Am Dienstag, 18. Juli 2017, 01:52:53 CEST schrieb Reimar Döffinger:
> >>> On 18.07.2017, at 00:59, James Almer <jamrial at gmail.com> wrote:
> >>>
> >>>> On 7/17/2017 7:49 PM, Moritz Barsnick wrote:
> >>>>> On Mon, Jul 10, 2017 at 13:53:02 +0300, Boris Pek wrote:
> >>>>>> Latest news about this topic:
> >>>>>> https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/FKXe-76GO8Y
> >>>>>
> >>>>> Ah, thanks, I neglected to report this, because I thought it was an
> >>>>> issue with my Opera Developer (48), which uses the Chrome engine. Opera
> >>>>> (like Chrome) recently reports ffmpeg.org's certificate as revoked, but
> >>>>> I found no tool which could verify this...
> >>>>
> >>>> The cert is by StartCom. Afaik everyone blacklisted certs issued by them
> >>>> after a certain date, and now some, like Google, are also blacklisting
> >>>> certs issued before that date as well.
> >>>> Mozilla hasn't done the latter yet, so Firefox doesn't complain about
> >>>> it, but i guess a new cert is overdue.
> >>>
> >>> New certs are already being generated, but nobody had the time to do the transition, there is a risk of the automation failing
> >>> (I think the web server needs to be made to reload the certificate, which is problematic as an ordinary user and there is no way I'd ever run any of that letsencrypt stuff as root),
> >> This seems to work as cronjob:
> >> ```
> >> #!/bin/sh
> >>
> >> su -c "certbot renew 2>/dev/null | grep 'No renewals' >/dev/null" letsencrypt -s /bin/bash
> >> if [ $? -eq 1 ]; then
> >> service nginx reload
> >> fi
> >> ```
>
> This is what scares me most: people running things as horrible as certbot (written by people who think it is ok to download and install a compiler without even asking before on a web server) AS ROOT.
If this is related to the above lines. certbot is not run as root here and the whole webserver handling can be done by nginx. Cron and the init system of course run as root.
Anyway, if you're concerned of certbot, there are solutions like acme-tiny [1]. To quote:
"This script must stay under 200 lines of code to ensure it can be easily audited by anyone who wants to run it."
Gerion
[1] https://github.com/diafygi/acme-tiny/
More information about the ffmpeg-devel
mailing list