SSL between a proxy and its target

dafyre

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

JaredBusch

That was my thought also, but wanted to ask for opinions.

Dashrender

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

scottalanmiller

@Dashrender said in SSL between a proxy and its target:

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

Far more secure than passwords. It's key rather than password. Think of it as 256 character password.

travisdh1

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

wirestyle22

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

dafyre

@wirestyle22 said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

I would. Make it fire and forget.

travisdh1

@wirestyle22 said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

I'd add it to the script I use to update the letsencrypt certs, so it all happens at the same time.

Dashrender

@scottalanmiller said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

Far more secure than passwords. It's key rather than password. Think of it as 256 character password.

awww OK key.. got it.. thanks.

Dashrender

@travisdh1 said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild