The difficulty of making sure your website is broken
4 hours ago
- #HTTPS Security
- #Let's Encrypt
- #Certificate Testing
- The article discusses the unique challenge of hosting websites with revoked or expired certificates for testing purposes, which standard tools do not support.
- Let's Encrypt developed a Go program to manage test certificate sites, handling valid, expired, and revoked certificates, with a focus on ensuring revoked certificates are properly served and non-expired.
- The program uses Lego as a library for ACME-based certificate requests and revocations, integrates with a Go webserver for TLS-ALPN-01 challenges, and manages certificate states through waiting periods for CRL updates and expiration.
- A custom GetCertificate callback in the Go TLS server selects the appropriate certificate based on SNI, prioritizing correctness over uptime, and includes features like ASCII art for non-HTML clients.