Neal Gompa wrote:
I'm not going to get into this too much, but suffice to say,
it's not
universally accessible as a CA.
I would very much be interested in those details though. I do not see
anybody being excluded from Let's Encrypt, not even countries under US
embargo (e.g., over 300000 sites in Iran are apparently using it
successfully).
And using Let's Encrypt for private mirrors is sufficiently
painful that I
wouldn't recommend it.
Set up a subdomain like
vpn.example.com, point it to the public IP, then
configure the VPN's internal DNS to resolve
vpn.example.com to the VPN-
internal address instead, the /etc/hosts on the VPN server itself to resolve
it to 127.0.0.1, and the mirror server on port 443 (whereas port 80 is
reserved for certbot's builtin temporary (and world-readable) webserver with
the http-01 challenge) to accept connections only from the VPN and from
localhost and to use the Let's Encrypt certificate. Been there, done that
(not for a repository mirror though, my employer is small enough for that
not to be worthwhile). I assume that this approach should also work for a
physical LAN in lieu of the VPN.
There have been attempts to fix things, but Panu doesn't feel
qualified to review the changes. That doesn't mean someone else who
would be willing to do so couldn't. But because of... reasons, as long
as it's in the RPM codebase, it's unlikely someone else will be
trusted enough to do those reviews.
I see. So splitting might be worthwhile then. Assuming someone will care
enough to actually maintain the code.
Kevin Kofler