[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple

TxMoose kyle at txmoose.com
Tue Mar 14 11:06:16 EDT 2017


+1 for Let's Encrypt.  It is an excellent solution, as long as you're 
willing to put in an afternoon to:

1. Understand what the platform is and is not for
2. Understand the limitations based on point 1
3. Properly configure your environment/automation, if you have any
4. Set up automation (read: a single cron command) to renew certs
5. Ensure you have audit procedures in place to prune unneeded certs 
when necessary


I personally use LE for all my things, including my NextCloud instance, 
my email server, and my resume.  I have 2 machines that check for expiry 
every Monday at 2AM and replace certs that are within 30 days of 
expiring.  It is entirely automated, and I get emails that tell me what 
was and was not updated.

Let's Encrypt is, hands down, one of the best things that has ever 
happened to the modern internet.

---
Very respectfully,
Kyle Brieden

On 14-03-2017 10:53, Scott Plante wrote:
> Apparently Chrome was just rejecting StartCOM / StartSSL certs issued
> after Oct 2016, but starting with v57 just released, it's rejecting
> all StartSSL certs except Alexa top 1M sites. I started getting
> complaints this morning about our internal mail server. We've been
> using paid SSL for customer stuff, but StartSSL for various domains
> used just by our own people.
> 
> I have paid for, and never minded the StartSSL revocation fee. My
> understanding is that the resources needed to issue a cert are fairly
> low, but the clients across the world constantly checking for
> revocations takes a lot more, hence putting the fee there.
> 
> I see LetsEncrypt / certbot being suggested for free certs now. Has
> anyone tried them or have any thoughts? I suppose now I'm going to
> have to make a move. InCommon isn't an option for us.
> 
> https://letsencrypt.org/
> https://certbot.eff.org/
> 
> Scott
> 
> -------------------------
> 
> FROM: "Jim Kinney" <jim.kinney at gmail.com>
> TO: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org>
> SENT: Monday, January 30, 2017 5:05:46 PM
> SUBJECT: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
> Google,        Apple
> 
> Yes. All the work stuff that public sees is InCommon. All the work
> stuff for department only is self signed from our CA.
> 
> For the stuff that really matters, it's self-signed, private CA and
> client certs as well.
> 
> On Jan 30, 2017 5:00 PM, "Lightner, Jeffrey"
> <JLightner at dsservices.com> wrote:
> 
>> Self signed certificates may work for purely internal setups but for
>> web services presented to the outside world they seldom do.
>> 
>> If I were to go to emory.edu [1] and it asked me to accept a self
>> signed certificate rather than one from a well known CA I’d
>> probably abandon the connection on the theory it was a spoof.   One
>> doesn’t buy certificates because of a desire to spend money –
>> one buys certificates so others can reasonably trust (based on the
>> CA) the certificate is valid.
>> 
>> Even if I knew and trusted someone at Emory who could provide me
>> with the root certificate on the servers there I’d likely not
>> bother to import it just due to the annoyance factor.   Having to
>> install root certificates for well known CAs is all well and good.
>> Having to install them for everyone that decides they want to self
>> sign would be an administrative nightmare.
>> 
>> On checking just now it appears Emory uses a specific CA called
>> “InCommon” apparently built specifically for .edu sites.
>> 
>> FROM: ale-bounces at ale.org [mailto:ale-bounces at ale.org] ON BEHALF OF
>> Jim Kinney
>> SENT: Monday, January 30, 2017 4:30 PM
>> TO: Atlanta Linux Enthusiasts - Yes! We run Linux!
>> SUBJECT: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
>> Google, Apple
>> 
>> All of my certs are self signed from my own CA. If you don't trust
>> them, you don't need to be there anyway.
> 
> 
> 
> Links:
> ------
> [1] http://emory.edu
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list