User Tools

Site Tools


gemini:tofu_letsencrypt

Using Gemini with Letsencrypt and TOFU

Generally to use TOFU on Gemini creating a long-lived self-signed certificate is recommended. I thought it would be a good idea to use the same certificate for the web page as well as the Gemini server, so I used Letsencrypt instead, which turns out to be not a good idea regarding TOFU since the cert hash changes each time a new certificate is created since certbot creates a new private key, likely as a security measure and that changes the Cert hash. After some digging in the documentation of Letsencrypt I found the option to turn that off and reuse the private key. This works by adding an option to the domain.conf file in /etc/letsencrypt/renewal:

[renewalparams]
account = ***
authenticator = webroot
webroot_path = /home/user/gemini-site/capsule
server = https://acme-v02.api.letsencrypt.org/directory
reuse_key = True

the last line as has to be added

After renewing the cert with this option, the certificate can be exchanged and programs that do strict TOFU like amfora accept the certificate without a warning. And clients that check CA validity as well as TOFU are happy as well.

On a sidenote, I am using Kineto for the web version of the Gemini pages and when using the .well-known directory inside the Gemini capsule directory, the authentication works fine with the web page

Note that I have to tried the renewal in the regular process since another 3months have not passed, so it may turn out that it not actually works.

gemini/tofu_letsencrypt.txt · Last modified: 2023/05/08 21:22 by alex