[ANN] tanelorn.city: a public gemini host for writers

[Matthew Graybosch]

On Fri, 12 Jun 2020 16:43:25 +0000
solderpunk <solderpunk at SDF.ORG> wrote:

> On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote:
>  
> > If I interpret the output from `openssl s_client`¹ correctly, the
> > CN of the certificate is set to “Matthew Graybosch”, not a
> > “tanelorn.city”, as it is custom for HTTPS. However, while the
> > specification states in 4.2 that “Clients can validate TLS
> > connections however they like”, it recommends a “lightweight "TOFU"
> > certificate-pinning system” without mentioning hostname validation.
> 
> I guess various best practices for non-conventional certificate
> validation should be hashed out in, well, the best practices doc, or
> even a dedicated document.
> 
> For what it's worth, AV-98 expects either the Subject CN or one of the
> SubjectAlternativeNames to match the hostname in the URL it's trying
> to fetch and will complain otherwise.  I can visit tanelorn.city just
> fine, so I guess there's a valid SAN that perhaps Bombadillo isn't
> seeing?

I might have gone about creating my certs the wrong way, too.

After RTFMing FreeBSD's openssl implementation I came up with the
following shell script.

```
#!/bin/sh

DOMAIN=${1}
SSL_CERT_PATH=/usr/local/etc/ssl/${DOMAIN}

if [ ! -d "${SSL_CERT_PATH}" ]; then
        mkdir -p $SSL_CERT_PATH
fi

openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
	-keyout ${SSL_CERT_PATH}/ssl.key \
	-out ${SSL_CERT_PATH}/ssl.crt
openssl dhparam -out ${SSL_CERT_PATH}/dhparam.pem 4096
```

It looks like I'm getting prompted to create a CSR for each cert as
well, and I might be putting in the wrong information.

-- 
Matthew Graybosch		gemini://starbreaker.org
#include <disclaimer.h>		gemini://demifiend.org
https://matthewgraybosch.com	gemini://tanelorn.city
"Out of order?! Even in the future nothing works."