I've made Edwood understand Markdown. Toggles between rendered view and straight text, and supports direct editing in the markdown view, including **text** to bold, etc. Not perfect, but you have the escape hatch of looking at the text.
Certainly still buggy, but now my daily driver. Don't read the code, a machine wrote it and I've only lightly audited it.
Available at https://github.com/paul-lalonde/edwood
RE: https://mastodon.social/@publicdomainrev/116030002930624319
The early years of the ACME Corporation
#acme #coyote #safety
#traeffik @netcup #ACME companion
A lightweight Go application that automatically creates DNS records in Netcup when Docker containers with Traefik labels are started.
DNSSleep should be 600
#adminlife #opensource #netcup #dns
https://github.com/alex289/docker-traefik-netcup-companion
Cal Callaghan’s ‘ACME and Web 2.0’ tells the story of how he salvaged and pieced together part of an Acme Beer ghost sign, including the sign painter’s signature.
https://callaghan.org/acme-web-2-0
Also check out these two Acme Beer labels in the online collections at @letterformarchive.
cc @ihazrabies
Cloudflare fixes ACME Validation Bug allowing WAF Bypass to Origin Servers.
Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment [ACME] validation logic that made it possible to bypass security controls and access origin servers.
⚠️"The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*)," the web infrastructure company's Hrushikesh Deshpande, Andrew Mitchell and Leland Garofalo said.⚠️
https://blog.cloudflare.com/acme-path-vulnerability/
#cloudflare #acme #path #vulnerability #it #security #privacy #engineer #media #infosec #tech #news
![[ImageSource: Shutterstock]
ACME is a communications protocol [RFC 8555] that facilitates automatic issuance, renewal, and revocation of SSL/TLS certificates. Every certificate provisioned to a website by a certificate authority [CA] is validated using challenges to prove domain ownership.
<https://www.rfc-editor.org/rfc/rfc8555>
👾This process is typically achieved using an ACME client like Certbot that proves domain ownership via an HTTP-01 [or DNS-01] challenge and manages the certificate lifecycle. The HTTP-01 challenge checks for a validation token and a key fingerprint located in the web server at "https://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>" over HTTP port 80.👾
<https://letsencrypt.org/docs/client-options/>
<https://letsencrypt.org/docs/challenge-types/>
⁉️The CA's server makes an HTTP GET request to that exact URL to retrieve the file. Once the verification succeeds, the certificate is issued and the CA marks the ACME account [i.e., the registered entity on its server] as authorized to manage that specific domain.⁉️](https://files.mastodon.social/cache/media_attachments/files/116/007/006/505/010/472/original/8ec832226816e77c.jpeg)
![[ImageSource: Cloudflare]
In the event the challenge is used by a certificate order managed by Cloudflare, then Cloudflare will respond on the aforementioned path and provide the token provided by the CA to the caller. But if it does not correlate to a Cloudflare-managed order, the request is routed to the customer origin, which may be using a different system for domain validation.
👾In other words, the logic failed to verify whether the token in the request actually matched an active challenge for that specific hostname, effectively permitting an attacker to send arbitrary requests to the ACME path and circumvent WAF protections entirely, granting them the ability to reach the origin server.👾
"Previously, when Cloudflare was serving an HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in our system, the logic serving an ACME challenge token would disable WAF features, since Cloudflare would be directly serving the response," the company explained.
⁉️"This is done because those features can interfere with the CA's ability to validate the token values and would cause failures with automated certificate orders and renewals. However, in the scenario that the token used was associated with a different zone and not directly managed by Cloudflare, the request would be allowed to proceed onto the customer origin without further processing by WAF rulesets."⁉️](https://files.mastodon.social/cache/media_attachments/files/116/007/006/531/470/268/original/e4a586cc10deff7b.jpeg)
Had a quick look a the community.crypto #Ansible collection documentation (https://ansible-collections.github.io/community.crypto/).
Interesting how this could be used to setup a small CA, or to handle #ACME certificates lifecycle purely in #Ansible.
Linode/Akamai for Acme.sh compat DNS?
Need to use LetEncrypt/acme.sh for a domain currently registered and DNS served by squarespace. Which does not have a useful API. Linode/Akamai does and already it's a Linode server anyway. Never used Linode/Akamai for DNS hosting... Anyone going to scream a reason not to? And yes, considered running my own DNS server for this, but... Do enough of that elsewhere to not want to do more. #dns #acme #letsencrypt
Every server managing its own certificates made sense when you had three servers. But with web farms, load balancers, and VPN appliances, you end up with rsync cron jobs distributing certs everywhere. CertBot doesn't scale. Especially at 47-day lifetimes.
Несколько лет использовал #vim. Потом несколько лет использовал #emacs. Потом был очарован #9front ( #plan9 ) и пользовался #acme. Потом написал свой редактор #red (напоминающий #acme), Потом решил посмотреть, что там в мире творится. Глянул #neovim. Глянул #helix.... Запустил #emacs поставил helix-theme и залип.Похоже, из этой секты уже нет выхода... :(
Автопродление TLS тоже ломается
Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.
https://habr.com/ru/companies/globalsign/articles/988804/
#tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel
not perfect, it's working for me. And I did not find a working solution for the new Hetzner "Cloud API"
https://github.com/stelb/truenas_acme_hetzner
Ok next system with proper certificates at home: TrueNAS :)
Hetzner DNS is not directly supported, but a shell script creating the needed challenge txt records. Quick hack with hcloud cli, but it's working.
#truenas #certificate #letsencrypt #acme #hetzner
With 47-day certificate lifetimes coming, you'll need to automate renewals. That usually means giving every system DNS credentials that can modify your entire zone.
CNAME delegation is better: point _acme-challenge to your cert provider once, they respond to challenges in their own zone. No credentials exposed, ever.
🥳 Multiple major releases today
• @small-tech/auto-encrypt v5.0.0 (https://codeberg.org/small-tech/auto-encrypt#readme)
• @small-tech/auto-encrypt-localhost v10.0.0 (https://codeberg.org/small-tech/auto-encrypt-localhost/#readme)
• @small-tech/https v6.0.0 (https://codeberg.org/small-tech/https/#readme)
These releases bring short-lived certificates, IP Address (IPv4 and IPv6) support, and ACME Renewal Information (ARI) support to Auto Encrypt and @small-tech/https, implement a consistent asynchronous API across all three packages, and include loads of little fixes and code quality improvements.
This brings us very close to getting Web Numbers¹ support implemented natively in Kitten².
OCSP support is removed from Auto Encrypt and Windows support is dropped from all three packages as Microsoft is complicit in Israel’s genocide of the Palestinian people³ and Small Technology Foundation⁴ stands in solidarity with the Boycott, Divestment, and Sanctions (BDS) movement. Furthermore, Windows is an ad-infested and surveillance-ridden dumpster fire of an operating system and, alongside supporting genocide, you are putting both yourself and others at risk by using it.
Enjoy!
💕
🇵🇸 To support families facing genocide in Gaza, consider donating to them via Gaza Verified: https://gaza-verified.org/donate/
¹ https://ar.al/2025/06/25/web-numbers/
² https://kitten.small-web.org/
³ https://www.bdsmovement.net/microsoft
⁴ https://small-tech.org/
#SmallWeb #SmallTech #AutoEncrypt #AutoEncryptLocalhost #https #TLS #NodeJS #web #dev #ACME #LetsEncrypt #WebNumbers #Kitten #BDS #Palestine #Gaza #FreePalestine
Cloudflare łata błąd ACME – czy omijanie WAF stało się możliwe?
Czy krótka, nudna ścieżka do certyfikatów może stać się objazdem wokół całej zapory? Okazuje się, że tak – jeśli logika na brzegu sieci skręci w zły zjazd.
Czytaj dalej:
https://pressmind.org/cloudflare-lata-blad-acme-czy-omijanie-waf-stalo-sie-mozliwe/
#PressMindLabs #acme #acmechallenge #cloudflare #fearsoff #http01
Let's Encrypt、IPアドレス証明書が一般提供開始 - RFC 8738準拠の6日間証明書
https://qiita.com/satokan3/items/791c78879e690b7c8cd2?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
"Short-lived and IP address certificates are now generally available from #letsencrypt These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their #ACME client."
"IP address certificates allow server operators to authenticate TLS connections to IP addresses rather than domain names.
...
IP address certificates must be short-lived certificates"
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability
What a project. Did configure StepCA in my home-lab with a real physical HSM for the CA's private key. Using a SmartcardHSM (https://www.smartcard-hsm.com) from CardContact Systems.
Now I have acme (automated cert provisioning) working internally as long as the HSM is plugged into my server.
All running in an isolated FreeBSD 15-RELEASE jail (StepCA compiled from source with added PCSC-Lite support and usb device passed through by devfs rules).
Yay! It works!
#freebsd #stepca #devops #acme #certificates #tls #smartcard #hsm
This is the kind of troubleshooting I'm not completely fond of - is the software lying? Did I miss any other option that would match cfweb.acme.profile? Is "renewal" a completely different code path that forgot about this option? #traefik #acme #troubleshooting
