Signal feed
Post
Remote status
Context
5@navi per RFC 2595 it needs to be vlhl.dev: "The client MUST use the server hostname it used to open the connection as the value to compare against the server name as expressed in the server certificate. The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup)."
RFC 7817 elaborates on this significantly but is afaik not implemented (its requirements for CAs conflict with CA/B Forum rules, for one), by my reading it would require clients to allow TLS certificates that match the domain part of the user's address and optionally also certs matching the user-entered mail server domain
@navi the safest option is to just request a single cert for both, probably.
@navi if you do a dns challenge why would it be a problem
Replies
5@navi you can totally selfhost dns, if you do that you'll want https://certbot-dns-rfc2136.readthedocs.io/en/stable/ for certbot integration. it's just that it's so cheap to run that it almost always makes sense to pay someone else <$1/month to host it with georeplication
@navi instead of hosting DNS outright yourself you can also run https://github.com/acme-dns/acme-dns which is a minimal nameserver specifically designed for ACME challenges (via CNAME)
@navi if you do want to host dns yourself tl;dr: install bind9, look at the quickstart configurations in https://bind9.readthedocs.io/en/stable/chapter3.html#configuration, on your registrar's settings set the nameserver(s) to the server(s) running bind9. note that the nameserver you set has to itself be a domain name and not an IP address, if you want it to be a subdomain you can make a special kind of record called a "glue record" that's served directly by the registrar and not the normal nameserver. namecheap calls this option a "Personal DNS Server" under "Advanced DNS" settings
We can't find the internet
Attempting to reconnect
Something went wrong!
Attempting to reconnect
