Skip Navigation
InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)JS
JollyGreen_sasquatch @sh.itjust.works
Posts 0
Comments 16
Paid SSL vs Letsencrypt
  • The main benefits to paying for certs are

    • as many said, getting more than 90 days validity for certs that are harder to rotate, or the automation hasn't been done.
    • higher rate limits for issuing and renewing certs, you can ask letsencrypt to up limits, but you can still hit them.
    • you can get certs for things other than web sites, ie code signing.

    The only thing that matters to most people is that they don't get cert errors going to/using a web site, or installing software. Any CA that is in the browsers, OS and various language trust stores is the same to that effect.

    The rules for inclusion in the browsers trust stores are strict (many of the Linux distros and language trust stores just use the Mozilla cert set), which is where the trust comes from.

    Which CA provider you choose doesn't change your potential attack surface. The question on attack surface seems like it might come from lacking understanding of how certs and signing work.

    A cert has 2 parts public cert and private key, CAs sign your sites public cert with their private key, they never have or need your private key. Public certs can be used to verify something was signed by the private key. Public certs can be used to encrypt data such that only the private key can decrypt it.

  • Disney says DeSantis-appointed district is dragging feet in providing documents for lawsuit
  • I've been dealing with lawyers and court recently, they may be above average in terms of intelligence and drive but most wouldn't be extremely above that average. I've had to explain fairly basic math, with easy numbers (fractions like 1/2 and 1/3 regarding pay structure), several times already. Ie

    • base = 100
    • bonus = 1/2 * base
    • total = base + bonus.

    Still had to explain that bonus is 1/3 total not 1/2 total.

  • UK air traffic control meltdown
  • If I understand the article:

    • a flight plan is a series of waypoints.

    • Waypoints are represented using identifiers that are known to not be globally unique.

    • an algorithm attempts to extract the portion of the flight in the UK airspace failed due to one of the non-unique waypoints in a flight plan

    • the failure caused the primary system to halt

    • the backup system takes over, processes the same flight plan and fails the same way, halting as well

    • UK air traffic control can no longer accept/process flight plans, preventing flights from happening

    • it took a while to resolve the system error, and longer to resolve the impacted people

  • I'm right, right?
  • There was no reference to alamony or spousal support in the post, but I tend to see that "taking all my money" phase because of un-equilal division of assets. The post implies they feel there was an un-equilal division, but suggests they are in a better state now that the ex is out of their life despite that, which is a relatively healthy expression for what they are going/have gone through.

    Where I am, non-financial spousal contributions are taken seriously and is seen as important as any other form of contribute to the marriage. I know that isn't the case everywhere and if you experienced your non-financial contributions being downplayed, I am sorry.

    Telling people to stop, is sweeping issues under the rug that should be, and need to be talked about. I do agree non-financial contributions get downplayed, it's shitty that it still happens.

    Never said venting was an excuse or the way this venting was happening was perfectly healthy, but that it is necessary to allow people to vent and telling people to stop isn't healthy.

  • I'm right, right?
  • Being in a divorce currently, I have noticed a few things that aren't talked about that I think lead to these memes being so popular.

    Divorce laws vary a lot from location to location, in the US they are all state level laws. Not all state level divorce laws are fair to both parties, it seems to get worse if children are involved (some states have recently been adding laws that state 50/50 custody must be the assumed starting point because it hasn't been).

    Even if the divorce laws are written to be fair to both parties in theory, at least in my state, the judge has the flexibility to rule in ways that may seem or even be unfair (what is equatable is complicated).

    Even if the judge would or does rule fairly on all issues presented to them, the lawyers (if the parties can even afford lawyers) may be perpetuating gender biases in divorces as well. So the issues may never even reach the judge and just be settled by an "agreement" between the parties pushed by the lawyers.

    Most divorces settle, maybe even on terms that heavily favor one party, because going to trial is a lot of money. Lawyers know this and have "games" they can play. like 60%-70% of assets to one party is still cheaper in theory than going to trial for the other party, so they hold that line in negotiations and your own lawyer will push for you to agree to terms like that as a cost/benefit analysis exercise.

    Even if none of that happened and it was fair the whole way through, it is a very complex emotional time, and men often don't have the same level of social support to vent to.

    Telling people to stop unless they are in some level of extreme situation is really toxic. People need to vent and be able to talk about what they are going through.

  • Enabling secure boot later on
  • You can, and for Linux generally have to, manage your own secure boot keys and signing your own kernal, united, modules, etc. Conacal and Red Hat have signing keys iirc, but distributions can and do get the shim boot loader signed so secure boot works. The arch wiki has a page on how to setup secure boot . Many distros installers do end up signed as well so you can go through the full install process with secure boot enabled.

  • FedNow - how do you all feel about it?
  • The fed is already middle man in ACH, but it won't be all transactions anyway. The Swift network is a thing, and credit cards are separate payment processing networks. Overall I expect it is a long overdue upgrade to what ACH does, and should reduce the market for services like zelle/QuickPay/Venmo

  • Proxy to TCP port with real IP
  • Short answer no, but you can add the source IP as part of the http header https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ then you have to log that bit of the header at the app level.

    There can be ways of your are using ipv6, basically turning your cloud host into a router, but but ipv4 you would have to have a 1:1 mapping and setup the routing carefully to make it work.

  • [SOLVED] Caddy reverse proxy on LAN with trusted certs without exposing DNS
  • Wildcard DNS entries are not part of an RFC afaik, so the behavior is completely determined by the dns software in use. AD and I think bind state to only use them in an otherwise empty zones, though one case I have at work we have to have the wild and an A record in the zone. Hit strange intermittent failures to resolve without the record in for some reason.

  • [SOLVED] Caddy reverse proxy on LAN with trusted certs without exposing DNS
  • Rereading what you have in the zone file, if that is a standard bind zone file, a subzone definition would look like

    ` ; sub-domain definitions $ORIGIN local.example.com.

    • IN A 1.1.1.1 `

    What you have might work, but doesn't follow the dns RFCs the dns label is "*.local" in the "example.com" zone/domain.

    This may come up after you get the API to the public DNS provider working, as the software will add/update a "_acme-challenge" label in the zone you point it to which would be "example.com"

    If the dns provider makes setting up a proper subzones hard, you can work around it by adding a cname record

    _acme-challenge.local in CNAME _acme-challenge.example.com

  • Experience with pkgsrc as a non-privileged user?
  • My current employer uses pkgsrc as the base libraries for all in house written apps on top of rhel 7. We are 1-2 years into a project to get off of pkgsrc so we can get off of rhel 7 before having to switch to ELS, as it is expensive.

    It isn't meant for building off applications, you might be able to make it work. It seems more meant for and works great for embedded systems with firmware images.

    The pkgsrc setup at work makes use of hard coded RPATHs full absolute paths. It is never clear which dynamic library is getting loaded at runtime, as even ldd gets it wrong. I have to set LD_DEBUG and run the binary to figure out what's happening. Because it is using RPATHs, which have inherit the RPATHs of the parent, we sometimes end up with different libraries being loading depemding on how the app gets launched.

    asdf is popular for usespace tool installs and might work.

    TL;DR I don't recommend using pkgsrc for this

  • [SOLVED] Caddy reverse proxy on LAN with trusted certs without exposing DNS
  • I assume you have purchased as public domain (the example.com bit) and have it setup to be publicly resolvable, even if the records are hosted on cloudflare or something.

    You don't need any A records for the dns01 challenge from lets encrypt. You need a text record for _acme-challenge.local.example.com that you can update with what ever challenge string let's encrypt replies with when you request the *.local.example.com certificate.

    Guessing the error is from caddy and it is saying it can't find the public provider of that zone to update the txt record for the challenge. Even if you have the correct provider configured, does local.example.com exist in the public DNS server config?

    As a side note, after the cert is issued the _acme-challenge txt record can be deleted, just be aware all issued public certs are easily searchable by domain name.