
Working with Let's Encrypt's Certbot for a Lisp Webserver - miles
https://lispblog.xach.com/post/189499356038/working-with-letsencrypts-certbot-for-a-lisp
======
tialaramex
This seems like a very complicated way to solve half the problem ?

The same fraction of the problem can be solved more tidily by noticing that
ACME (RFC 8555) is specifically designed so that the web server can be told
one fact and use that to answer all challenge requests correctly for your
Let's Encrypt account affirmatively. This is safe because it's your account,
and so it's just up to you not to request certificates you'd be entitled to
but don't want -- nobody else needs to help you do that. The fact you need to
configure is the URL-compatible Base 64 encoding of your account key
thumbprint. The correct answer to any HTTP challenge against /.well-
known/acme-challenge/$token is an HTTP 200 OK with body $token.$thumbprint

So you only need to configure $thumbprint which is at worst a small privacy
leak (it reveals you use Let's Encrypt's HTTP challenges or you are prepared
to do so, and this thumbprint is unique so if you use the same account in
multiple places this ties them together) but no grave security consequences to
reveal it to the world.

~~~
armitron
Xach has a habit of implementing complicated solutions that solve half the
problem. Quicklisp has been around for years, is still vulnerable to man-in-
the-middle attacks and the code is so convoluted and complicated that it
defies simple extensions by 3rd parties (which is partly why it hasn't been
improved by the community me reckons).

------
nyuszika7h
I don't understand what the point of this is, can't you just use the webroot
method?

~~~
lisper
Yes, you can. I run a Lisp web server (with an nginx front-end) and this is
the method I use. It works just fine. I have no idea why Zach doesn't use it.

[UPDATE] I sent Zach an email asking him that question. If he responds, I'll
post the reply here.

~~~
lisper
His response: "My webroot is served by Lisp."

------
mcspiff
Feels like using the DNS based challenges would be a much easier solution.

------
MisterTea
Is the column of text shifted to the right and getting cut off for anyone
else? Chrome and FF.

~~~
tialaramex
It's a scrollable element for me, I don't like it but it's good enough
especially if it's largely for illustration anyway.

