SSL between a proxy and its target
-
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
-
That was my thought also, but wanted to ask for opinions.
-
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.
-
@Dashrender said in SSL between a proxy and its target:
Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.
Far more secure than passwords. It's key rather than password. Think of it as 256 character password.
-
@Dashrender said in SSL between a proxy and its target:
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.
It's industry standard public/private key encryption, so shouldn't be an issue.
You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.
-
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
How often would you want to pull something like this? daily?
-
@wirestyle22 said in SSL between a proxy and its target:
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
How often would you want to pull something like this? daily?
I would. Make it fire and forget.
-
@wirestyle22 said in SSL between a proxy and its target:
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
How often would you want to pull something like this? daily?
I'd add it to the script I use to update the letsencrypt certs, so it all happens at the same time.
-
@scottalanmiller said in SSL between a proxy and its target:
@Dashrender said in SSL between a proxy and its target:
Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.
Far more secure than passwords. It's key rather than password. Think of it as 256 character password.
awww OK key.. got it.. thanks.
-
@travisdh1 said in SSL between a proxy and its target:
@Dashrender said in SSL between a proxy and its target:
@dafyre said in SSL between a proxy and its target:
@scottalanmiller said in SSL between a proxy and its target:
Never had to do that. Seems like a script to pull it from time to time might be enough, though?
Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?
Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.
It's industry standard public/private key encryption, so shouldn't be an issue.
You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.
I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild