| Author |
|
o6asan
Joined: 27 Aug 2015
Posts: 44
Location: Japan, Fukuoka
|
 Posted: Fri 28 Oct '16 15:23 Post subject: |
 |
|
Hi,
I found I can use Elliptic curve Diffie–Hellman kx easily by Let's Encrypt. So, I changed my certs kx. For that, I still use dehydrated (former name letsencrypt.sh).
☞here
And, I tested a configuration SSLLABS gives 100% results.
It's too strict, so not practical, though.  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7377
Location: Germany, Next to Hamburg
|
| Posted: Sat 12 Nov '16 22:49 Post subject: |
|
|
| Well with 90 days Public Key Pinning (HPKP) seems to be obsolete. Or does anyone know how still to use it? |
|
| Back to top |
|
jimski
Joined: 18 Jan 2014
Posts: 196
Location: USSA
|
| Posted: Fri 30 Dec '16 0:51 Post subject: |
|
|
After hacking several free certs I decided to pay $4.99 and just buy a certificate from this website https://cheapsslsecurity.com/
Yes it is not free but you get one big advantage. The certificate is actually issued by Comodo so you can put on your website a nice Comodo security trust seal  |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Thu 12 Jan '17 23:59 Post subject: |
|
|
It was my time to renew and I had to do it manually. Strange that this PR still is not merged. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Fri 17 Mar '17 2:14 Post subject: |
|
|
| jimski wrote: | After hacking several free certs I decided to pay $4.99 and just buy a certificate from this website https://cheapsslsecurity.com/
Yes it is not free but you get one big advantage. The certificate is actually issued by Comodo so you can put on your website a nice Comodo security trust seal |
The SSL certs you hacked where or where not from letsencrypt.org ?
I would say use Letsencrypt.org because of the regularity of the SSL certificate updates and the automated nature of it.
If you buy a SSL cert it may last a year but in that time if its been cracked or anything of that sort the effects of it will be happening for the length of time its valid and it is also a manual process to update it. It's better the certificate expires regularly and is more dynamic.
It's easier, re-validated more regularly and automated especially if you have allot of sites that require SSL to use letsencrypt.
You don't need to manualy go buy and update something that should be and already is free. No matter how cheap companies push their price down to.
Even Cloudflare issues SSL for free now this year is set to be the year SSL becomes mandatory apparently even search engines to prioritise links via secured over unsecured.
Firefox,Google and other web browsers are also helping in the push to a fully secured web via their unsecured page and login form notification messages now.
The one question on all our minds is when will pornhub finally after years of saying it will move to https.
They do a 301 Permanent redirect to unsecured connections because they are crazy I guess. (Should only do 302 and 303 to prevent caches and future problems with crawlers, browsers, search engines etc)
http://feedback.pornhub.com/forums/184663-pornhub-feedback-and-suggestions/suggestions/6702181-get-an-ssl-certificate-please |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 17 Mar '17 19:32 Post subject: |
|
|
| C0nw0nk wrote: | | The one question on all our minds is when will pornhub finally after years of saying it will move to https. |
Hmmm, that is the least of my questions, in fact I do not even care. No mine is more when are they going to allow us to use something other than port 80 to verify the domain?
Not everybody has 80 open to them. My ISP blocks 80 so I cannot use the software to make it automated if that software finally works properly to begin with. If it at least had the option of using 443 (regardless of a self-signed or expired certificate), I'd be good to go with Lets Encrypt.
So Jimski's link I am thinking about myself when I have to renew my 90 day Lets Encrypt cert next month. Besides, I'm not securing state secrets nor would I with just a DV certificate in the first place.
And if in that one year my cert gets compromised, with unlimited reissues I just get a new one and have the old revoked. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sat 18 Mar '17 1:04 Post subject: |
|
|
I am also curious how @steffen here at ApacheLounge you got the following https://github.com/Lone-Coder/letsencrypt-win-simple/pull/299#issuecomment-253143459
| Steffen wrote: | @o6asan Thanks for the pointers. Running now on Apache Lounge.
Used letsencrypt-win-simple 1.9.1 |
To restart apache when it automatically renews the cert ?
Is there a command line argument or script I have missed or don't see here.
I can see it can create the certificates and renew them automatically but apache needs to be told to restart when ever a new certificate and key is updated in the directory. How do you do this ? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3097
Location: Hilversum, NL, EU
|
| Posted: Sat 18 Mar '17 11:03 Post subject: |
|
|
| Do all manual. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sun 19 Mar '17 17:48 Post subject: |
|
|
| Steffen wrote: | | Do all manual. |
Well I have been seeing if there is some way to make it work without the outside manual interference perhaps some people who are also command line enthusiasts like myself would enjoy the opportunity to help
| Code: | title LetsEncrypt SSL auto-renew and setup
:loop
@echo off
C:\Users\root\Desktop\letsencrypt\letsencrypt.exe --renew --accepttos --san --centralsslstore C:\CentralCertificateStore\ --manualhost networkflare.com,www.networkflare.com --webroot C:\Domain\networkflare\
rem command line here to restart apache after the certificates are ready
rem do a if modified check first etc
timeout /t 60 /NOBREAK >NUL
goto loop
pause>nul |
I put this together so far and my plan once it was working was to add to windows task scheduler to make windows task scheduler run this script. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Sun 19 Mar '17 18:47 Post subject: |
|
|
I do not see why the loop is needed. Just run this command one time every day, using the task scheduler:
| Code: | | C:\Users\root\Desktop\letsencrypt\letsencrypt.exe --renew --accepttos --san --centralsslstore C:\CentralCertificateStore\ --manualhost networkflare.com,www.networkflare.com --webroot C:\Domain\networkflare\ |
If your letsencrypt only applies to one domain you should run another task every 59 or 60 days:
| Code: | | C:\Apache24\bin\httpd.exe -n Apache2.4 -k restart |
If your letsencrypt applies to more domains with different renewal times, you can add this command to the letsencrypt renewal task (and restart apache every day). |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Tue 21 Mar '17 23:58 Post subject: |
|
|
| Semi-off topic but for forward secrecy you should be restarting Apache every day anyway. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7377
Location: Germany, Next to Hamburg
|
| Posted: Wed 22 Mar '17 11:27 Post subject: |
|
|
| glsmith wrote: | | Semi-off topic but for forward secrecy you should be restarting Apache every day anyway. |
True for security. But that kills the PHP cache each time. it would be nice if a graceful restart would not kill the fcgid processes. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 22 Mar '17 19:40 Post subject: |
|
|
| From my readings IIRC TLS/1.3 should fix this as each connection has it's own whatever-it-is that Apache generates only once on start-up. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sun 09 Apr '17 20:58 Post subject: |
|
|
I agree with them getting blocked when you pay for something you expect it to be worth the money.
Even like the Symantec statement says "127 certificates" that it still a large number. Even one certificate would be to many for a so called security company. I find it bad they say that as if that justifies it and makes it perfectly ok and acceptable what they are doing.
The beauty of letsencrypt comes in with self signed certificates is that they are domain verified.
And considering Let's encrypt is backed by Google and for free enforces customer trust that their reputation is on the line.
https://letsencrypt.org/sponsors/
Who backs those SSL companies that charge everyone a ton of money ?
And when they are becoming more and more careless and proven to be untrustworthy. I like seeing the fact they are getting punished for all the customers they put at risk. They seem happy enough to take money.
Cloudflare issues SSL for free it is becoming more and more common perhaps they don't like the word "FREE" and see themselves going out of business. |
|
| Back to top |
|
