@letsencrypt Hey.
-
@wonka @benbe Or just use the procedure in https://letsencrypt.org/docs/revoking/.
-
-
The discussion in that project in https://github.com/Upinel/localhost.direct/issues/18 is wild. Such a total lack of understanding the policies. The author - who surely had good intentions - seems to think that the issue was that the key was shared openly and not in a password "protected" ZIP file.
But looks like someone has indeed used the revocation process like 45 minutes ago, it is shown as revoked at 20:31:51 UTC.
-
-
@wonka @waldi @benbe In the view of the one certificate at crt.sh you could have just clicked on "X509v3 Subject Key Identifier" to get to the list at https://crt.sh/?ski=31b4a0eddb482696ca72ef495f0d1b0e3fbd5386
-
-
@julijane I'm not sure if I understand the negative implications of what they have done. can you help me?
I'm aware that sharing private keys with anybody is generally a bad idea.
what could / would a bad actor do with their key? provide custom DNS entries for localhost.direct with a "trusted" certificate and then trick people into downloading malicious content (because it shows a valid certificate)?
-
@wonka @julijane @waldi @benbe you may find spkihash useful: https://github.com/badkeys/miscscripts/blob/main/spkihash 'spkihash -c [key]' gives you directly a search URL for crt.sh (just implemented, wanted to do this for a while).
-
@winniehell @julijane Because those are the rules of webpki. You can not distinguish between a key that was compromised by accident and by choice. So a private key that showed up in public is considered compromised and needs to be replaced.
Fix: use your own domain and generate a certificate for a name that points to localhost. With Let's Encrypt and ACME this is completely automatic.
-
@waldi @winniehell To be fair, the use case "I want to create a cert for a hostname that points to 127.0.0.1" is not that easy, as it requires to be able to have certbot or whatever client to be able to make DNS changes, as authorization over HTTP(S) is oblivious not possible.
One alternative solution would be to have the cert created on a internet host and DNS points to that, but then use that locally and use hosts file to override the IP on DNS with 127.0.0.1.
-
@julijane @waldi @winniehell if you don't mind a custom CA, mkcert is a tool I strongly recommend https://github.com/FiloSottile/mkcert