From: Mark Wooding Date: Wed, 27 Jan 2016 14:04:30 +0000 (+0000) Subject: Use a public key for the main webserver's TLSA record. X-Git-Url: https://git.distorted.org.uk/~mdw/zones/commitdiff_plain/84bfdc6249b8640f3284b125428cd141fb4c316a Use a public key for the main webserver's TLSA record. We're changing CA to LetsEncrypt, so the old certificate won't work any more. The LetsEncrypt certificate will change quite frequently, but the public key is unchanged, so pin that in the TLSA record. --- diff --git a/certs/http-server-www#1.cert b/certs/http-server-www#1.cert deleted file mode 100644 index 29a6326..0000000 --- a/certs/http-server-www#1.cert +++ /dev/null @@ -1,130 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1387014 (0x152a06) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA - Validity - Not Before: Dec 20 04:07:45 2014 GMT - Not After : Dec 21 00:30:39 2015 GMT - Subject: C=GB, CN=www.distorted.org.uk/emailAddress=webmaster@distorted.org.uk - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (3072 bit) - Modulus: - 00:9f:62:f3:4c:fa:9a:4c:62:c8:31:c3:54:6f:b5: - 7b:9e:cc:9c:e0:d8:fd:4e:b6:6c:97:d0:28:c4:1e: - 09:07:07:e2:85:42:ad:d5:49:2d:94:06:55:9e:99: - 0c:c8:f7:0b:6a:72:ad:5d:2c:66:cc:df:84:ea:88: - 46:43:a9:39:42:d7:d4:09:3f:1b:26:39:c6:69:71: - ae:f2:02:98:db:79:13:b4:d3:26:60:8b:c5:eb:fb: - c7:51:84:3a:64:0b:e3:02:e9:13:8e:fa:a6:b7:cb: - 66:49:55:9e:e3:cb:9a:a4:ed:0c:3a:4b:c1:e0:de: - e8:03:29:88:8d:b6:43:bd:c5:e6:a0:c6:04:78:1d: - 6f:65:48:8f:7d:13:e9:3e:ae:b2:03:df:43:57:19: - f9:8f:85:15:dc:4f:78:3b:65:5b:90:46:28:5f:32: - 4c:5b:8c:29:69:73:ba:fc:00:25:5c:2b:7a:2d:26: - d1:ad:7b:28:07:21:db:27:ea:b3:81:7b:25:a5:e4: - cc:ec:d6:85:88:63:c3:29:7e:10:e6:3c:cb:2a:1d: - 77:72:c0:bb:34:b8:c9:62:3e:bf:d8:f5:e6:d8:d5: - 73:df:5b:1e:90:f4:aa:51:d0:7f:f3:16:03:43:31: - d5:4b:1e:91:1e:92:0f:e9:dc:95:36:9a:0e:80:60: - d3:98:c7:62:fb:af:76:87:e7:9b:0f:7e:1d:be:dc: - 22:1a:46:ff:b7:5b:39:01:79:cd:3a:ef:25:16:3c: - 86:6a:e1:1e:f4:e8:cb:0b:ff:cd:4c:66:dc:36:50: - 77:9d:1a:35:77:5a:85:89:b0:ea:fb:43:0f:7f:19: - 7f:d8:dd:6a:cd:a3:c3:85:12:3e:e3:39:5b:89:ec: - fc:78:df:39:2e:ae:94:7e:1a:ac:62:0c:dc:5a:fc: - 09:b6:9f:82:4d:2c:ad:f3:2b:68:44:22:da:42:ca: - 85:d6:9c:46:e5:37:cc:7d:65:c5:62:e3:d8:e5:58: - 28:01:18:1b:27:40:d6:d5:dd:e5 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Key Usage: - Digital Signature, Key Encipherment, Key Agreement - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Subject Key Identifier: - A9:DF:AD:DC:D2:3B:DD:6A:E6:AF:CC:B1:28:60:3A:5F:5E:29:D0:85 - X509v3 Authority Key Identifier: - keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45 - - X509v3 Subject Alternative Name: - DNS:www.distorted.org.uk, DNS:distorted.org.uk - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.1 - Policy: 1.3.6.1.4.1.23223.1.2.3 - CPS: http://www.startssl.com/policy.pdf - User Notice: - Organization: StartCom Certification Authority - Number: 1 - Explicit Text: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.startssl.com/crt1-crl.crl - - Authority Information Access: - OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca - CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt - - X509v3 Issuer Alternative Name: - URI:http://www.startssl.com/ - Signature Algorithm: sha256WithRSAEncryption - a7:cc:45:92:89:84:06:e0:39:20:4e:37:58:f2:02:e3:6c:c9: - 43:c6:d9:06:68:ea:fe:40:e3:d8:b3:a2:3c:63:8a:03:86:76: - 83:83:38:2b:ea:9d:14:f9:2a:89:8d:0c:31:d4:83:f5:ac:5c: - fc:fc:2b:ac:f7:a8:7c:2f:b9:1b:2d:7d:8d:dd:ea:45:89:d5: - 3a:24:f1:9b:1e:9c:ef:25:4c:6c:77:37:4f:48:d3:79:1c:fe: - ef:a5:29:8c:3e:f1:42:be:83:50:6a:73:c2:46:4e:5c:a7:5a: - fc:0f:73:1e:c8:fd:e6:a9:45:5a:61:d4:5b:35:06:6a:60:b3: - 79:77:e3:8a:bd:12:d7:47:cd:cc:7d:2f:f2:cc:9c:c5:fe:97: - 98:72:6f:1a:c1:9e:5e:57:99:a6:93:b0:9a:bd:4c:f6:14:e3: - c7:16:9a:28:2b:b2:36:5e:b7:1c:8e:d3:bf:97:ed:07:11:1d: - 6d:d4:51:e4:90:e1:18:b2:7a:15:d5:ec:bf:1b:b5:3c:8d:a5: - 69:28:da:cb:47:a9:68:be:eb:0e:3b:58:49:c1:9d:5c:8d:c6: - c6:e1:2a:28:c1:f0:66:e9:c4:e9:7f:50:3e:f3:d8:ad:47:39: - cf:f9:65:ee:d8:e4:61:b2:48:db:c0:92:1b:bb:1d:55:6d:c4: - 5d:52:7c:0c ------BEGIN CERTIFICATE----- -MIIGzjCCBbagAwIBAgIDFSoGMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ -TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 -YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg -MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQxMjIwMDQwNzQ1 -WhcNMTUxMjIxMDAzMDM5WjBXMQswCQYDVQQGEwJHQjEdMBsGA1UEAxMUd3d3LmRp -c3RvcnRlZC5vcmcudWsxKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBkaXN0b3J0 -ZWQub3JnLnVrMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAn2LzTPqa -TGLIMcNUb7V7nsyc4Nj9TrZsl9AoxB4JBwfihUKt1UktlAZVnpkMyPcLanKtXSxm -zN+E6ohGQ6k5QtfUCT8bJjnGaXGu8gKY23kTtNMmYIvF6/vHUYQ6ZAvjAukTjvqm -t8tmSVWe48uapO0MOkvB4N7oAymIjbZDvcXmoMYEeB1vZUiPfRPpPq6yA99DVxn5 -j4UV3E94O2VbkEYoXzJMW4wpaXO6/AAlXCt6LSbRrXsoByHbJ+qzgXslpeTM7NaF -iGPDKX4Q5jzLKh13csC7NLjJYj6/2PXm2NVz31sekPSqUdB/8xYDQzHVSx6RHpIP -6dyVNpoOgGDTmMdi+692h+ebD34dvtwiGkb/t1s5AXnNOu8lFjyGauEe9OjLC//N -TGbcNlB3nRo1d1qFibDq+0MPfxl/2N1qzaPDhRI+4zlbiez8eN85Lq6UfhqsYgzc -WvwJtp+CTSyt8ytoRCLaQsqF1pxG5TfMfWXFYuPY5VgoARgbJ0DW1d3lAgMBAAGj -ggLrMIIC5zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEF -BQcDATAdBgNVHQ4EFgQUqd+t3NI73Wrmr8yxKGA6X14p0IUwHwYDVR0jBBgwFoAU -60I00Jiwq5/0G2sI98xkLu8OLEUwMQYDVR0RBCowKIIUd3d3LmRpc3RvcnRlZC5v -cmcudWuCEGRpc3RvcnRlZC5vcmcudWswggFWBgNVHSAEggFNMIIBSTAIBgZngQwB -AgEwggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cu -c3RhcnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0 -Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmlj -YXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRp -b24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlh -bmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ug -b2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAo -oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYB -BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29t -L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0 -YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0S -BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBCwUAA4IB -AQCnzEWSiYQG4DkgTjdY8gLjbMlDxtkGaOr+QOPYs6I8Y4oDhnaDgzgr6p0U+SqJ -jQwx1IP1rFz8/Cus96h8L7kbLX2N3epFidU6JPGbHpzvJUxsdzdPSNN5HP7vpSmM -PvFCvoNQanPCRk5cp1r8D3MeyP3mqUVaYdRbNQZqYLN5d+OKvRLXR83MfS/yzJzF -/peYcm8awZ5eV5mmk7CavUz2FOPHFpooK7I2XrccjtO/l+0HER1t1FHkkOEYsnoV -1ey/G7U8jaVpKNrLR6lovusOO1hJwZ1cjcbG4SoowfBm6cTpf1A+89itRznP+WXu -2ORhskjbwJIbux1VbcRdUnwM ------END CERTIFICATE----- diff --git a/distorted.lisp b/distorted.lisp index 0277696..da00125 100644 --- a/distorted.lisp +++ b/distorted.lisp @@ -148,7 +148,7 @@ ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster") (jump :svc stratocaster.jump :sshfp "stratocaster")) ((www @) :tlsa (:https (:service-certificate-constraint - :certificate :sha-256 #p"http-server-www#1"))) + :public-key :sha-256 #p"https-stratocaster"))) ((git mail) :tlsa (:https #1=(:trust-anchor-assertion :certificate :sha-256 #p"distorted-ca"))) (www-cache :tlsa (3127 #1#)) diff --git a/keys/https-stratocaster.pub b/keys/https-stratocaster.pub new file mode 100644 index 0000000..4bf1c97 --- /dev/null +++ b/keys/https-stratocaster.pub @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAn2LzTPqaTGLIMcNUb7V7 +nsyc4Nj9TrZsl9AoxB4JBwfihUKt1UktlAZVnpkMyPcLanKtXSxmzN+E6ohGQ6k5 +QtfUCT8bJjnGaXGu8gKY23kTtNMmYIvF6/vHUYQ6ZAvjAukTjvqmt8tmSVWe48ua +pO0MOkvB4N7oAymIjbZDvcXmoMYEeB1vZUiPfRPpPq6yA99DVxn5j4UV3E94O2Vb +kEYoXzJMW4wpaXO6/AAlXCt6LSbRrXsoByHbJ+qzgXslpeTM7NaFiGPDKX4Q5jzL +Kh13csC7NLjJYj6/2PXm2NVz31sekPSqUdB/8xYDQzHVSx6RHpIP6dyVNpoOgGDT +mMdi+692h+ebD34dvtwiGkb/t1s5AXnNOu8lFjyGauEe9OjLC//NTGbcNlB3nRo1 +d1qFibDq+0MPfxl/2N1qzaPDhRI+4zlbiez8eN85Lq6UfhqsYgzcWvwJtp+CTSyt +8ytoRCLaQsqF1pxG5TfMfWXFYuPY5VgoARgbJ0DW1d3lAgMBAAE= +-----END PUBLIC KEY-----