[nmglug] lets encrypt
Andres Paglayan
andres at paglayan.com
Thu Jun 9 16:14:15 PDT 2016
On 02/15/2016 12:09 PM, Sam Noble wrote:
> On Mon, Feb 15, 2016 at 10:36:36AM -0700, Sam Noble wrote:
>> On Sat, Feb 13, 2016 at 12:02:11PM -0700, Jason Schaefer wrote:
>> This is super-cool. I didn't think this would work on dreamhost
>> shared-hosting anytime soon. and it totally does.
>>
>> Thanks mozilla, eff, dreamhost etc!
> Somebody do the pondering for me, I have questions about general use of
> lets' encrypt (or any automated TLS cert renewal setup.) regarding best
> practice for ensuring I'm getting as much out of the TLS encryption
> model as I can. And additional questions in the case of $WEBHOST (or any
> service provider) managing certs for their users.
>
> I love that I can have encrypted connections without paying or forcing
> visitors to be clicking on "Yeah I know that the cert is unsigned" in
> browsers (or worse not being able to use an https api with android
> programs.)
>
> But what's due diligence for my part of this transaction? I run a script
> on my webserver or click a button on dreamhost's page and suddenly I get
> free TLS? Great if that's all it takes but I'm skeptical.
>
> So for any LE user there are a few issues, the letsencrypt model has
> short duration certs, so they'll be changing often. How am I supposed to
> keep track of when they've changed? Do I need to? Should I keep track
> of some identifier of LE's Certificate Authority and verify that's the
> one being used to sign my LE certs?
>
> And then the much bigger leap comes with the setup I'm actually using.
> Obviously using a cheap shared web-hosting account like the one I have
> has plenty of risks with respect to how much I can trust the software I
> run there, I have to trust their admins in lots of cases, as one does on
> any machine where someone else has root. (And physical access, and legal
> ownership, etc.)
> Great, but I don't have access to the private TLS key, I don't know who
> else has access to the private key on my sites.
>
> I'm thinking this is still a huge improvement over plaintext HTTP right?
> Weren't there a bunch of nasty tricks that we learned about from that
> guy Edward, that are thwarted just by HTTPS regardless of the quality of
> the TLS used?
>
> Plus even in a hotel full of staff that all carry master keys, locking
> your door is often still a good idea right?
>
> But has anyone been trolling LE or Dreamhost forums and mailinglists and
> have quick answers to all my concerns?
>
we are using let's encrypt in some of our commercial sites,
and the setup was very straight forward,
we use nginx,
this is a step by step guide,
a cronjob will re-requests certs every 90 days
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3703 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nmglug.org/pipermail/nmglug-nmglug.org/attachments/20160609/53290e61/attachment.bin>
More information about the nmglug
mailing list