I had a software upgrade to my FB2700 router and now I keep getting these incomprehensible emails. Something to do with SSL/TLS certificates that the Firebrick is using as part of the new https: admin login via it’s built-in web server admin interface now, a new feature, instead of plain old http: login.
From what I can make out, there is some check of <something - but who knows what> that is supposed to be carried out. Why? And why hasn’t this already been done? And why doesn’t AA just handle this and make it go away?
I don’t know what the cert is supposed to guarantee to the user, guarantee that the traffic has not been redirected to somewhere evil? I don’t understand what kind of guarantee could be made available. Someone can check that I actually am at the IP address that I’m supposed to be at according to the domain name of the web server = my Firebrick in this case. You just need to do a DNS lookup for my brick properly and make sure that you are not getting conned in the process. And there are several ways of doing that. You could use your own LAN that is not evil and then use encrypted pipes to trusted respected DNS providers or otherwise do all of the DNS lookup yourself the hard way, ‘from first principles’ if you like, not trusting other servers but just going straight to the authoritative DNS servers concerned, one by one as required, and trusting no one else.
From what I can make out, the brick or a let’s encrypt server is trying to communicate with <?someone> and I have a feeling that my Firebrick, being a firewall and a good one at that is if course preventing this activity because it’s something I’ve never heard of and it’s a security threat.
Thinking back years ago. I have had to prove to other servers that I am me - the person they talked to, or emailed and had a conversation with - and sometimes people want to see proof that I am in control of or am the sysadmin of some domain or web server or something. So the kind of things that I have done in the past are: putting an extra funny-looking record in the DNS which people can find if they go digging for it, while ordinary visitors will never see anything different as they won’t know to go looking; creating a file with a funny name on a web server in a certain place with a special ‘well-known’ name. Just seeing that the file now exists shows that I myself have the power to administer that web server. The first method is better because you can alway use it as long as you have control over your own DNS and you do not have to be running a web server - you might well not be, it might be any kind of server, an email server or who knows what.
In Let’s Encrypt’s website I saw something about validating <something don’t know what or why> using something that sounds like the funny DNS record method. If it turns out that for some reason I need to do something here <what? Why?>, then DNS would make sense as there’s no issue about firewalls doing their job and preventing mysterious conversations from taking place, a conversation that perhaps is something that Letsencrypt desires, but I do not.
Author
Topic: Firebrick router - ‘Lets encrypt’ TLS certificate expiry email (Read 1257 times)