View this report as an mbox folder.
email@example.com, golinux <firstname.lastname@example.org>:
devuan-www. Full text available.
Klaus Ethgen <Klaus@Ethgen.ch>:
Your message specified a Severity: in the pseudo-header, but the severity value important was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, normal, minor, wishlist.
Full text available.
Date: Mon, 3 Apr 2017 20:53:04 +0100 From: Klaus Ethgen <Klaus@Ethgen.ch> To: email@example.com Subject: Website not working when using TLSA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: devuan-www Severity: important Since several months, the web page (www.devuan.org) is not viewable for those who care about security and trust only the certificate that the owner has access to instead of every untrusted CA. The way to do that is DNSSEC with TLSA and thankfully, devuan does support that. Unfortunately, since several months, (I believe, when devuan switched to that horrable Let's encrypt) the page doesn't match the TLSA record anymore. That leads to a unviewable page if one cares about security. So the TLSA record should be updated to match the SSL certificate of the page (or the right SSL certificate should be used). There are few solutions for this if it is really the switch to Let's encrypt that is the cause: - - Every time you replace the SSL certificate, update the TLSA record too. That is very painful as Let's encrypt drives security adabsurdum by replacing the certificate with every single new load. (Keep in mind, not everyone is checking the side every hour.) That is the most stupid (sorry) way. - - Get a certificate from a more stable source that is not replacing the certificates that often. You still need to change the TLSA record every time you replace the certificate. That is, in my opinion, the most reliable way. - - If you don't care about the fucked up CA stuff, just generate a self signed certificate and put the right stuff into TLSA record. This is the most honest way to go but realistically, as browser vendors seems to passively boycott DNSSEC, this is no way to go for a site like devuan. - - The last way would be to use the CA fingerprint instead of the one of the actual certificate. Or use the fingerprint of the key if you don't change it with every certificate renewal. This is making good face on a bad matter but it is working too. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Comment: Charset: ISO-8859-1 iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ 9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6 YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/ 9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx 4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY Y8+uLt68 =4Rvp -----END PGP SIGNATURE-----
firstname.lastname@example.org. Full text available.