O/T: LetsEncrypt
 

There are a lot of IT types on here whom I thought would be interested in this (if they don't know about it already). LetsEncrypt is a new certificate authority that allows for web admins to automate the process of issuing and renewing SSL/TLS certificates for their sites. As of today, it's open to the public.

Neat stuff! ANyone using it yet?

edit: forgot to mention that it's entirely free and open-source, and sponsored by many tech titans, including Mozilla, Cisco, and Facebook, as well as the EFF.

Very, very cool.

I was unaware of this, but... sweet.

I guess I will be moving off self-signed certificates real soon now!

I heard about it a couple days ago, but as I don't run a website I don't care personally. However this is good news overall for the Internet because anyone can now build a secure website and not have to worry about paying CA's. It's really good for web designers and ultimately customers from developing nations who can't easily make purchases over the Internet.

Update: I used LetsEncrypt yesterday to generate a certificate for the Linux box in my house. It was pretty painless.

LetsEncrypt uses plugins to automate the process. They have ones for Apache and nginx, but the nginx one is still experimental. The Apache one will install the certificate for you and configure Apache to use it. So, I used the "standalone" plugin, in which LetsEncrypt starts its own webserver. The authenticator machine on the internet connects to LEtsEncrypt's server and makes sure that a pre-agreed url on the server returns a certain value. Then it issues the certificates and stores them in /etc/letsencrypt/live.

I manually configured nginx with the resulting certificates and got a green padlock saying my connection was authenticated by Lets Encrypt Certificate Authority X1. Total process took about 20 mins of reading the manual. ONce you know what you are doing, it will take all of 60 seconds to issue/renew certificates. AUtomatic renewal is coming in the nearish future, they say.

Super cool service and very welcome.

As a side note, you can also get a free domain certificate from StartSSL, but their process is the traditional, manual one.

Can you use the traditional manual process on LetsEncrypt? Because having done that many times before, it'd be MUCH easier (for me) than futzing with their plugin.

Yes, there are a couple options: webroot, in which you point it to your server's web root directory, and the full manual, which requires you to manually do everything.

https://letsencrypt.org/howitworks/

https://letsencrypt.readthedocs.org/...g.html#plugins

If you don't want to let the Apache or nginx plugins do anything with your server config, or if you don't want to stop your web server to let LE's Standalone method work, then I'd suggest going with webroot. It will put the keys and certs on your server in /etc/letsencrypt/live, and you can point your web server to them.

Also this https://github.com/diafygi/gethttpsforfree

I am not very fond of auto-mumbo-invasion of security related things.:rolleyes:

Interesting - though I'm not sure how this is different from running LE in manual mode. I'd just cut out the middleman and use LE directly.

I don't understand your particular concern on "auto-mumbo-invasion". The LE script needs root access to write to /etc, to write to web server config files if needed, and to bind to a port under 1024. BUt the whole thing is open source, so you can read through it and find out what it's doing. Personally, I trust the EFF and LE more than I would trust, say, Microsoft or Apple.

The automode client updates itself (or tries so) every time it runs - so it would be a constant audit effort.

Just doesnt fit my style..

Edit/Add: the LE client needs a lot of software installed, that I dont see fit for an exposed system like webservers.

I hadn't noticed it requiring much aside from Python. But I guess it's all about how paranoid the sysadmin is. For me, I trust the EFF and the backers they have, for their stated purpose. If I were running a Sooper Secret NSA site, I probably would do something else. But I think LE is great for 95% of sites out there.

Wow, that was easy (especially compared to others, like StartSSL). Just installed a cert for my Apache server. Other than the 90-day expiration policy, what's the catch?

There isn't one.

Just make sure you set an automated task to renew the certificate.

No catch. The 90 day policy is there for security purposes, to continually force refreshing new certificates. It's also there to force the use of automation; that way there's little continual maintenance required.

Also, they do domain validation only. That's perfectly good for most people. Extended Validation certificates, where the certificate issuer actually verifies your identity (And not just that you control that domain) cost a LOT more money but usually only certain entities need that.

Otherwise these certificates are essentially as good as the ones you'd pay good money for.

But no better than the ones you've been able to get free from StartSSL.com for years. It just comes down to whether you'd prefer to use LE's software to handle updates (at most) every 90 days, or if you'd prefer to do it yourself once a year.

Personally, I prefer the latter - but each to their own.