Keeping CertFP static regardless of LetsEncrypt renewal

Set certfp_method = spki_sha512; or other beginning with spki_and check the new fingerprint with

https://github.com/charybdis-ircd/charybdis/blob/charybdis-4.1.1/doc/reference.conf#L1414-L1428

$CHARYBDIS-INSTALL-PATH/bin/charybdis-mkfingerprint spki_sha512 $CHARYBDIS-INSTALL-PATH/etc/ssl/cert.pem

and use the output as server fingerprint.

WARNING: This also affects user certfp's so users using certfp may not get identified automatically.

Alternative method to get the server SPKI is running gnutls-cli host:port, taking public-key-id and adjusting it into form SPKI:SHA2-256:...

WARNING: Certbot users be sure to run it with --reuse-key flag or it will generate entirely new keys changing the fingerprint. E.g. certbot renew --reuse-key You will also need to change the automagic command in /etc/cron.d/certbot and if you use systemd, ExecStart line of certbot.service. See systemctl show certbot.service | grep ExecStart and systemctl edit certbot.service

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keeping CertFP static regardless of LetsEncrypt renewal

Clone this wiki locally