Re: [PLUG] Favorite Certificate Authorities
On Thu, 6 Sep 2018, Louis Kowolowski wrote: I also created /etc/letsencrypt/renewal-hooks/post/apache-restart: #!/usr/bin/bash /usr/bin/systemctl restart httpd.service >/dev/null 2>/dev/null I"m not familiar with apache any more (haven't really used it in probably a decade). If loading in the new cert can be done with a 'reload' instead of a 'restart' you won't have to take the outage. You may not care, and thats fine. Just a thought. New SSL keys and certificates require a full restart in Apache. I'm fairly sure that's the best policy in terms of security. I can't envision a situation in which I'd willinging choose to have a service simultanously running two different certificates for the same CN. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
On Sep 6, 2018, at 11:02 AM, Paul Heinlein wrote: > > On Wed, 5 Sep 2018, Louis Kowolowski wrote: > >> I believe that you can run the renew frequently and it won't actually renew >> until the time is right. Something like daily/weekly cron. >> >> Also, you want to make sure that when you renew, that it triggers a reload >> for your web server. Otherwise the new cert won't be picked up and you'll be >> frustrated. > > Yep, I created /etc/cron.d/certbot per the certbot site recommendations: > > 41 4,16 * * * root /bin/certbot renew > > I also created /etc/letsencrypt/renewal-hooks/post/apache-restart: > > #!/usr/bin/bash > /usr/bin/systemctl restart httpd.service >/dev/null 2>/dev/null > I"m not familiar with apache any more (haven't really used it in probably a decade). If loading in the new cert can be done with a 'reload' instead of a 'restart' you won't have to take the outage. You may not care, and thats fine. Just a thought. -- Louis Kowolowskilou...@cryptomonkeys.org Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977 ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
On Wed, 5 Sep 2018, Louis Kowolowski wrote: I believe that you can run the renew frequently and it won't actually renew until the time is right. Something like daily/weekly cron. Also, you want to make sure that when you renew, that it triggers a reload for your web server. Otherwise the new cert won't be picked up and you'll be frustrated. Yep, I created /etc/cron.d/certbot per the certbot site recommendations: 41 4,16 * * * root /bin/certbot renew I also created /etc/letsencrypt/renewal-hooks/post/apache-restart: #!/usr/bin/bash /usr/bin/systemctl restart httpd.service >/dev/null 2>/dev/null -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
I can confirm both of Louis' comments: - you can run it daily and it doesn't abuse their server or change the certificate until <30 days remain. That's the setup I use daily in cron, but shown here from the command line: # letsencrypt renew Processing /etc/letsencrypt/renewal/www.q42.me.conf Processing /etc/letsencrypt/renewal/supportfolio.com.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/www.q42.me/fullchain.pem (skipped) /etc/letsencrypt/live/supportfolio.com/fullchain.pem (skipped) No renewals were attempted. - my server had the problem that it didn't trigger a webserver restart until I updated the cron script to also restart apache. On Wed, Sep 5, 2018 at 3:13 PM Louis Kowolowski wrote: > I believe that you can run the renew frequently and it won't actually > renew until the time is right. Something like daily/weekly cron. > > Also, you want to make sure that when you renew, that it triggers a reload > for your web server. Otherwise the new cert won't be picked up and you'll > be frustrated. > > > > On Sep 5, 2018, at 4:35 PM, Paul Heinlein wrote: > > > > On Wed, 5 Sep 2018, Tomas Kuchta (and several others) wrote: > > > >> LetsEncrypt.org > > > > Thanks to everyone who chimed in! The setup for LetsEncrypt was pretty > easy using certbot, so I've installed a new key/cert/chain and will try > living with it for a while. > > > > Supposedly it will be eligible for renewal in early November, so I've > added a "certbot renew" cron job to my server and added an item about > checking my certificate to my to-do list around then. > > > > -- > > Paul Heinlein > > heinl...@madboa.com > > 45°38' N, 122°6' W___ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > -- > Louis Kowolowskilou...@cryptomonkeys.org > Cryptomonkeys: > http://www.cryptomonkeys.com/ > > Making life more interesting for people since 1977 > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
I believe that you can run the renew frequently and it won't actually renew until the time is right. Something like daily/weekly cron. Also, you want to make sure that when you renew, that it triggers a reload for your web server. Otherwise the new cert won't be picked up and you'll be frustrated. > On Sep 5, 2018, at 4:35 PM, Paul Heinlein wrote: > > On Wed, 5 Sep 2018, Tomas Kuchta (and several others) wrote: > >> LetsEncrypt.org > > Thanks to everyone who chimed in! The setup for LetsEncrypt was pretty easy > using certbot, so I've installed a new key/cert/chain and will try living > with it for a while. > > Supposedly it will be eligible for renewal in early November, so I've added a > "certbot renew" cron job to my server and added an item about checking my > certificate to my to-do list around then. > > -- > Paul Heinlein > heinl...@madboa.com > 45°38' N, 122°6' W___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowskilou...@cryptomonkeys.org Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977 ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
On Wed, 5 Sep 2018, Tomas Kuchta (and several others) wrote: LetsEncrypt.org Thanks to everyone who chimed in! The setup for LetsEncrypt was pretty easy using certbot, so I've installed a new key/cert/chain and will try living with it for a while. Supposedly it will be eligible for renewal in early November, so I've added a "certbot renew" cron job to my server and added an item about checking my certificate to my to-do list around then. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
Are there any other authorities other let's encrypt with free as in freedom purpose? LetsEncrypt.org Unless of course you need cert for somebody else's web. Tomas On Wed, Sep 5, 2018, 12:49 PM Louis Kowolowski wrote: > If you're OK with the added requirement of having to renew the cert every > 3mo, and the machine is publicly reachable (either directly or indirectly) > on tcp/80 and tcp/443, LetsEncrypt is probably a reasonable choice (as > others have pointed out). There are a number of tools available for > automating the renewal process. Personally, I prefer using the Caddy > webserver and having it handle the renewal for me. Not needing to manage an > additional tool is a bonus. > > > > On Sep 5, 2018, at 12:59 PM, Paul Heinlein wrote: > > > > The SSL certificate for my web site is due to expire in a few days. I'm > not beholden to my current certificate authority (CA) and my requirements > are pretty standard: > > > > * decent browser support > > * modern crypto > > * quick turnaround on requests > > > > I have no problem using chained certificates if necessary. > > > > So what CAs do you all favor these days? > > > > NB: There is no non-public content on my site, but there is some > information about crypto usage. Back when I was running the site without > https, I received an e-mail message from someone claiming to live in a > country with an oppressive regime. (The return address and SMTP headers > supported that claim.) That person asked if I could add SSL support so s/he > could read my crypto pages without setting off alarm bells in the regime's > sniffing software. I figured for a few bucks a year it was worth it. > > > > -- > > Paul Heinlein > > heinl...@madboa.com > > 45°38' N, 122°6' W___ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > -- > Louis Kowolowskilou...@cryptomonkeys.org > Cryptomonkeys: > http://www.cryptomonkeys.com/ > > Making life more interesting for people since 1977 > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
If you're OK with the added requirement of having to renew the cert every 3mo, and the machine is publicly reachable (either directly or indirectly) on tcp/80 and tcp/443, LetsEncrypt is probably a reasonable choice (as others have pointed out). There are a number of tools available for automating the renewal process. Personally, I prefer using the Caddy webserver and having it handle the renewal for me. Not needing to manage an additional tool is a bonus. > On Sep 5, 2018, at 12:59 PM, Paul Heinlein wrote: > > The SSL certificate for my web site is due to expire in a few days. I'm not > beholden to my current certificate authority (CA) and my requirements are > pretty standard: > > * decent browser support > * modern crypto > * quick turnaround on requests > > I have no problem using chained certificates if necessary. > > So what CAs do you all favor these days? > > NB: There is no non-public content on my site, but there is some information > about crypto usage. Back when I was running the site without https, I > received an e-mail message from someone claiming to live in a country with an > oppressive regime. (The return address and SMTP headers supported that > claim.) That person asked if I could add SSL support so s/he could read my > crypto pages without setting off alarm bells in the regime's sniffing > software. I figured for a few bucks a year it was worth it. > > -- > Paul Heinlein > heinl...@madboa.com > 45°38' N, 122°6' W___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowskilou...@cryptomonkeys.org Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977 ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
On 09/05/2018 11:09 AM, Alexandre Bedard wrote: On 9/5/2018 10:59 AM, Paul Heinlein wrote: So what CAs do you all favor these days? Have you tried https://letsencrypt.org/ ? Free, publicly trusted SSL certificates. One of the differences between this and traditional commercial CA's is that the certificate is due for renewal every 90 days, but you can automate the process with certbot-auto and cron. I use LetsEncrypt certificates a lot and use Puppet to deploy the renewed certificates to all my hosts. Seconded. I'm using certbot under CentOS 7 for postfix/dovecot. It's in epel and was easy to set up. galen -- Galen Seitz gal...@seitzassoc.com ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
Letsencrypt++. Free, good browser coverage, easy administration with certbot or equivalent. On Wed, Sep 5, 2018, 11:11 Alexandre Bedard wrote: > > On 9/5/2018 10:59 AM, Paul Heinlein wrote: > > So what CAs do you all favor these days? > > Have you tried https://letsencrypt.org/ ? > > Free, publicly trusted SSL certificates. One of the differences between > this and traditional commercial CA's is that the certificate is due for > renewal every 90 days, but you can automate the process with > certbot-auto and cron. I use LetsEncrypt certificates a lot and use > Puppet to deploy the renewed certificates to all my hosts. > > Alex > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Favorite Certificate Authorities
On 9/5/2018 10:59 AM, Paul Heinlein wrote: So what CAs do you all favor these days? Have you tried https://letsencrypt.org/ ? Free, publicly trusted SSL certificates. One of the differences between this and traditional commercial CA's is that the certificate is due for renewal every 90 days, but you can automate the process with certbot-auto and cron. I use LetsEncrypt certificates a lot and use Puppet to deploy the renewed certificates to all my hosts. Alex ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug