Re: [Hampshire] HTTPS Certificate problem

Top Page

Reply to this message
Author: Paul Tansom
Date:  
To: hampshire
Subject: Re: [Hampshire] HTTPS Certificate problem
** Samuel Penn via Hampshire <hampshire@???> [2017-02-08 15:36]:
> On Tuesday 07 Feb 2017 11:20:12 Paul Tansom via Hampshire wrote:
> > ** Imran Chaudhry via Hampshire <hampshire@???> [2017-02-07 07:52]:
>
> > > +1 for letsencrypt.org - I recently switched to HTTPS for all my
> > > hosted server domains and was very happy to find a "letsencrypt"
> > > package for Debian that automated the entire process. It even
> > > auto-renews the cert for you.
> >
> > ** end quote [Imran Chaudhry via Hampshire]
> >
> > Seconded, I've been using Letsencrypt for a while now (just checked and it
> > looks as though I signed up back in November 2015), and I've had no problems
> > in that time. I used to use StartSSL and the manual renewal and install was
> > a pain, particularly if you'd managed to let your personal account
> > certficate expire and lost access to the certificates you already had
> > (thankfully I managed to merge the accounts I had when they did a system
> > upgrade a while back).
>
> I'm also using Let's Encrypt, and I'm really happy with it. I've had two
> issues with it though.
>
> First, was that my original websites were behind a proxy/firewall that
> didn't allow HTTP (only HTTPS) access, and the auto-setup didn't work due
> to not being able to call back. I've since moved away from that setup,
> and with a more normal environment it all worked first time.


Yes, I've got that issue with a couple of servers I run internally. I haven't
quite decided how to proceed with it yet; the servers are internal servers, so
I could quite reasonably use self signed certificates, but I've had a couple of
issues with doing that in some cases - the main one being sharing a Keepass
database between machines. That works fine with Dropbox, but I want to move it
through to my Nextcloud box, which will be internally hosted, and the Keepass
client on Android doesn't like connecting to a self signed https instance (well
it would, but I have to accept all certificates rather than add an exception
just for the one server, which doesn't feel right). I could open things up to
the internet, possibly even only when I do the renewal checks, but I'm not
entirely happy about putting my internal DNS entries on a public server, it
seems wrong having private addresses on public servers!

> Second, was that if you install the script manually, and run the cron
> with the recommended --no-self-upgrade option, then it doesn't update
> itself. I have had it fall far enough behind that the script then stops
> working and fails to update your certificates. Running it manually
> without the --no-self-upgrade flag fixed that relatively quickly, but
> I need to make sure the script gets updated regularly.


I had that once, but decided to let the script update itself. I was getting
emails from the cron job anyway so I would see the update happen; it now emails
as part of the script so I had to disable my own email when I found I was
getting two each time! I'm still running on the manual install, but I see there
are some Letsencrypt packages in the Ubuntu repositories now (not caught up
with the fact that it is Certbot now!), so I'm not sure how that will impact
things - I may try it when I upgrade my server to 16.04.

** end quote [Samuel Penn via Hampshire]

--
Paul Tansom | Aptanet Ltd. | https://www.aptanet.com/ | 023 9238 0001
Vice Chair, FSB Portsmouth & SE Hampshire Branch | http://www.fsb.org.uk/
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP

--
Please post to: Hampshire@???
Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL: http://www.hantslug.org.uk
--------------------------------------------------------------