Install and Configure #Cacti on #AlmaLinux #VPS This article provides a guide demonstrating how to install and configure Cacti on AlmaLinux VPS.

What Is Cacti?
Cacti is an open-source network monitoring and graphing tool built on top of RRDtool. It’s designed to collect, store, and visualize time-series data from networks and systems.
What Cacti Does

Polls data from devices ...
Continued https://blog.radwebhosting.com/install-and-configure-cacti-on-almalinux-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #mariadb #selfhosted #opensource #letsencrypt #selfhosting #rrdtool

My current conspiracy theory: Now that #letsencrypt has more or less destroyed the market for domain certificates and people are more interested in using client/user certificate, Google throws the market a lifeline by removing clientAuth from acceptable certificates in the browser context with some vague "it's about security" arm waving. #NerdTalk

1/4

Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

yet another ACME client, based on uacme: https://github.com/llfw/lfacme

good:
+ uses uacme and POSIX /bin/sh
+ better configuration/hook system than dehydrated
+ comes with manpages
+ small and simple
+ supports Kerberized dns-01 domain validation

bad:
- only tested on FreeBSD (but this could be improved)

(edit: now supports http-01 challenges!)

/cc @_bapt_

How to Deploy #LDAP Server and Client on Rocky Linux #VPS (389 Directory Server Guide) Below is a comprehensive, step-by-step guide to deploying the 389 Directory Server on Rocky Linux VPS instances, and configuring a separate Rocky Linux machine as an LDAP client.

It covers everything from package installation and initial instance setup, through ...
Continued https://blog.radwebhosting.com/how-to-deploy-ldap-server-and-client-on-rocky-linux-vps-389-directory-server-guide/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #opensource #directoryserver #selfhosted #letsencrypt #security #selfhosting #identitymanagement #rockylinux

Weird thing that `certbot delete`seems to be the simplest and fastest command to get a list of the #letsencrypt certificates my web server manages.

UPDATE: Thx to the replies, I implemented the change for all my domains, did a `certbot renew --dry-run` and that succeeded. Yay to a cleaner config :)

#NerdQuestion. When I move {server [...] } blocks in `/etc/nginx/nginx.conf` to separate files in the `/etc/nginx/conf.d` directory, will certbot still find them and will automatic renewals just keep working as before? Anyone with experience on that?

Just requested that Auto Encrypt¹ is added to the list of @letsencrypt clients for Node.js and that Kitten² is added to the list of projects that integrate Let’s Encrypt support:

• https://github.com/letsencrypt/website/pull/1921
• https://github.com/letsencrypt/website/pull/1922

I originally requested that Auto Encrypt and Site.js (the precursor to Kitten, now sunset) be added to the list in 2021. It was not approved (no reason given), so hopefully this time will be different.

https://github.com/letsencrypt/website/pull/1203

¹ https://codeberg.org/small-tech/auto-encrypt
² https://kitten.small-web.org

Auto Encrypt – heads up!

In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².

The change³ should be seamless.

If you have any concerns, now is the time to raise them :)

#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb

¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (https://codeberg.org/small-tech/auto-encrypt#auto-encrypt)
² https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
³ https://codeberg.org/small-tech/auto-encrypt/src/branch/main/CHANGELOG.md#4-4-0-2025

How to Install #PeerTube on #Ubuntu VPS

This article provides an in-depth guide demonstrating how to install PeerTube on Ubuntu VPS.
What is PeerTube?
PeerTube is a decentralized, federated video hosting platform powered by WebTorrent and ActivityPub. It enables users to self-host video services and interact with other PeerTube ...
Continued https://blog.radwebhosting.com/how-to-install-peertube-on-ubuntu-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #selfhosted #nodejs #vpsguide #opensource #letsencrypt #fediverse #decentralized #installguide #selfhosting #videostreaming

To all the people upset about #letsencrypt removing TLS Client Auth support from certificates, yes it sucks, but please direct your anger at Google who initiated this change. LetsEncrypt cannot exist if the biggest browser doesn't accept their certificates. Yell at Google, Not LE please.

I am totally sure (sarcasm included) that #Google has totally overseen that their planned changes to their root program requirements will cause a lot of problems for mailserver owners like me who in future might run into weird problems with #Letsencrypt certificates for SMTP. I am sure that Google is absolutely not trying to make running your own mailserver even more complicated just to protect their gmail business. That would be totally not how Google thinks, amirite? https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

Dear #Letsencrypt, you helped secure millions and millions of servers, not just web servers. But your announcement at https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ about ending Ending TLS Client Authentication Certificate Support in 2026 because Google changes their requirements would result in your certificates becoming a possible risk for ensuring SMTP traffic. Please think again. Please.

1/5

What the actual fuck, #LetsEncrypt‽

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.

That makes them unusable for SMTP servers. Gah!

Anyone got a usable alternative that doesn’t ruin financially?

Update: I’m in communication with them, let’s hope they recognise the usefulness.