Robert, On 03/09/2019 09.57, Robert Kisteleki wrote:
Still no one has answered why ripe is using self signed certs for anchor when they can use let's encrypt for free...
TL;DR if the community prefers it we use LE (+TLSA).
This comes with the expense of some one-time and ongoing operational work. Considering that anchors don't host any sensitive information, using self-signed certs (+TLSA) was so far considered good enough.
Sorry for asking this question so late in this thread, but what exactly are the certificates used for? The value of a certificate from a certificate authority is that you outsource the work of establishing a trust relationship. If you're connecting bits of networking infrastructure together, presumably one's provisioning tools can configure each component with exactly the secrets and trust needed, so self-signed certificates should be fine (or better, since the system is simpler and there is no dependency on external infrastructure). If the use case under discussion is to help RIPE anchor operators (or others) to see some status page on the anchor itself via a browser, then using a "real" certificate might make sense. Otherwise, I don't see the point. Cheers, -- Shane