summaryrefslogtreecommitdiffstats
path: root/certs
Commit message (Collapse)AuthorAgeFiles
* certs/gencerts.sh: Don't hard-code the intermediate CA.Guilhem Moulin2021-01-071
| | | | | | Since mid December Let's Encrypt has been using /C=US/O=Let's Encrypt/CN=R3 (CAID #183267) instead of the old /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (CAID #16418).
* Move bacula and munin master to new host levante from benjamin.Guilhem Moulin2020-11-033
|
* Use dedicated DKIM key for tevs.net.Guilhem Moulin2020-10-011
|
* Use dedicated DKIM key for hemdal.se.Guilhem Moulin2020-05-221
|
* Use dedicated DKIM key for guilhem.org.Guilhem Moulin2020-04-221
|
* Add dedicated DKIM key for lists.fripost.org.Guilhem Moulin2020-04-221
| | | | | | Instead of using the fallback key. That way messages from our lists have proper DMARC alignment (at least when envelope sender and From header are under domain lists.fripost.org).
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-131
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-191
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* Add ssh-ed25519 hostkey for benjamin.Guilhem Moulin2018-12-091
|
* Remove trailing spaces.Guilhem Moulin2018-12-051
|
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-053
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-043
|
* gencerts: Also show the algorithm for SSH host keys.Guilhem Moulin2018-12-031
|
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-035
|
* ssh_known_hosts: also list ed25519 host (pub)keys.Guilhem Moulin2018-12-031
|
* certs/gencerts.sh: wibbleGuilhem Moulin2018-12-031
|
* Rotate civett's IPsec's key.Guilhem Moulin2017-05-292
|
* Change civett's CNAME from civett.friprogramvarusyndikatet.se to ↵Guilhem Moulin2017-05-141
| | | | civett.fripost.org
* HPKP: increase max-mage directive to 6 months from 1 hour.Guilhem Moulin2016-09-181
|
* gencerts: improve workning: s/pubkey/SPKI/Guilhem Moulin2016-09-181
|
* Improve certs formatting.Guilhem Moulin2016-07-121
|
* gencerts: Print the SHA1 digests in hex not base64 format.Guilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-125
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-107
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-109
|
* typoGuilhem Moulin2016-06-151
|
* crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates.Guilhem Moulin2016-06-151
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-159
| | | | To avoid new commits upon cert renewal.
* Renew cert for https://lists.fripost.org.Guilhem Moulin2016-05-281
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-246
| | | | There is no need to bother with X.509 cruft here.
* Restore the public part of Bacula's data encryption master key.Guilhem Moulin2016-05-231
| | | | | | Which was incorrectly removed at commit 8cf4032ecec5b9f58d829e89f231179170432539
* Remove CAcert certificates.Guilhem Moulin2016-05-222
| | | | | We're now using the Let's Encrypt CA for our public internet-facing services.
* gencerts: improve formatting.Guilhem Moulin2016-05-221
|
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-229
|
* Tunnel munin-update traffic through IPSec.Guilhem Moulin2016-05-226
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-226
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-188
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Renew imap.fripost.org:993 and smtp.fripost.org:587 X.509 certificates.Guilhem Moulin2016-05-184
|
* Set a HPKP on the webmail, website/wiki/git and list manager.Guilhem Moulin2016-04-014
|
* gencerts.sh: typoGuilhem Moulin2016-03-281
|
* gencerts.sh: improve formatting.Guilhem Moulin2016-03-281
|
* Replace LE's X1 intermediate CA with X3 since the latter has better support ↵Guilhem Moulin2016-03-281
| | | | for XP.
* Reissue certs on civett and elefant since LE's X3 intermediate CA has better ↵Guilhem Moulin2016-03-275
| | | | support for XP.
* Let's Encrypt: Only reload (as opposed to restart) postfix/nginx after ↵Guilhem Moulin2016-03-053
| | | | renewing the cert