logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Let’s Encrypt - Apache - Windows
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Apache Forum Index -> Other Software



View previous topic :: View next topic  
Author Message
o6asan



Joined: 27 Aug 2015
Posts: 40
Location: Japan, Fukuoka

PostPosted: Fri 28 Oct '16 15:23    Post subject: Reply with quote

Hi,
I found I can use Elliptic curve Diffie–Hellman kx easily by Let's Encrypt. So, I changed my certs kx. For that, I still use dehydrated (former name letsencrypt.sh).
here

And, I tested a configuration SSLLABS gives 100% results.
It's too strict, so not practical, though. Mr. Green
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6128
Location: Germany, Next to Hamburg

PostPosted: Sat 12 Nov '16 22:49    Post subject: Reply with quote

Well with 90 days Public Key Pinning (HPKP) seems to be obsolete. Or does anyone know how still to use it?
Back to top
jimski



Joined: 18 Jan 2014
Posts: 184
Location: USSA

PostPosted: Fri 30 Dec '16 0:51    Post subject: Reply with quote

After hacking several free certs I decided to pay $4.99 and just buy a certificate from this website https://cheapsslsecurity.com/

Yes it is not free but you get one big advantage. The certificate is actually issued by Comodo so you can put on your website a nice Comodo security trust seal Smile
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 713
Location: Amsterdam, NL, EU

PostPosted: Thu 12 Jan '17 23:59    Post subject: Reply with quote

Steffen wrote:
Saw a new one that should solve renew issues:

https://github.com/Lone-Coder/letsencrypt-win-simple/pull/299

It was my time to renew and I had to do it manually. Strange that this PR still is not merged.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Fri 17 Mar '17 2:14    Post subject: Reply with quote

jimski wrote:
After hacking several free certs I decided to pay $4.99 and just buy a certificate from this website https://cheapsslsecurity.com/

Yes it is not free but you get one big advantage. The certificate is actually issued by Comodo so you can put on your website a nice Comodo security trust seal Smile


The SSL certs you hacked where or where not from letsencrypt.org ?

I would say use Letsencrypt.org because of the regularity of the SSL certificate updates and the automated nature of it.

If you buy a SSL cert it may last a year but in that time if its been cracked or anything of that sort the effects of it will be happening for the length of time its valid and it is also a manual process to update it. It's better the certificate expires regularly and is more dynamic.

It's easier, re-validated more regularly and automated especially if you have allot of sites that require SSL to use letsencrypt.

You don't need to manualy go buy and update something that should be and already is free. No matter how cheap companies push their price down to.

Even Cloudflare issues SSL for free now this year is set to be the year SSL becomes mandatory apparently even search engines to prioritise links via secured over unsecured.

Firefox,Google and other web browsers are also helping in the push to a fully secured web via their unsecured page and login form notification messages now.


The one question on all our minds is when will pornhub finally after years of saying it will move to https.
They do a 301 Permanent redirect to unsecured connections because they are crazy I guess. (Should only do 302 and 303 to prevent caches and future problems with crawlers, browsers, search engines etc)
http://feedback.pornhub.com/forums/184663-pornhub-feedback-and-suggestions/suggestions/6702181-get-an-ssl-certificate-please
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2067
Location: Sun Diego, USA

PostPosted: Fri 17 Mar '17 19:32    Post subject: Reply with quote

C0nw0nk wrote:
The one question on all our minds is when will pornhub finally after years of saying it will move to https.

Hmmm, that is the least of my questions, in fact I do not even care. No mine is more when are they going to allow us to use something other than port 80 to verify the domain?

Not everybody has 80 open to them. My ISP blocks 80 so I cannot use the software to make it automated if that software finally works properly to begin with. If it at least had the option of using 443 (regardless of a self-signed or expired certificate), I'd be good to go with Lets Encrypt.

So Jimski's link I am thinking about myself when I have to renew my 90 day Lets Encrypt cert next month. Besides, I'm not securing state secrets nor would I with just a DV certificate in the first place.

And if in that one year my cert gets compromised, with unlimited reissues I just get a new one and have the old revoked.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Fri 17 Mar '17 21:08    Post subject: Reply with quote

I also checked on ApacheLounge seems here we are LetsEncrypt users too.

https://www.ssllabs.com/ssltest/analyze.html?d=www.apachelounge.com&s=80.101.236.247

Quote:

Issuer: Let's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Sat 18 Mar '17 1:04    Post subject: Reply with quote

I am also curious how @steffen here at ApacheLounge you got the following https://github.com/Lone-Coder/letsencrypt-win-simple/pull/299#issuecomment-253143459

Steffen wrote:
@o6asan Thanks for the pointers. Running now on Apache Lounge.

Used letsencrypt-win-simple 1.9.1

Steffen wrote:
Saw a new one that should solve renew issues:

https://github.com/Lone-Coder/letsencrypt-win-simple/pull/299


To restart apache when it automatically renews the cert ?

Is there a command line argument or script I have missed or don't see here.

I can see it can create the certificates and renew them automatically but apache needs to be told to restart when ever a new certificate and key is updated in the directory. How do you do this ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2472
Location: Hilversum, NL, EU

PostPosted: Sat 18 Mar '17 11:03    Post subject: Reply with quote

Do all manual.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Sun 19 Mar '17 17:48    Post subject: Reply with quote

Steffen wrote:
Do all manual.


Well I have been seeing if there is some way to make it work without the outside manual interference perhaps some people who are also command line enthusiasts like myself would enjoy the opportunity to help Smile

Code:
title LetsEncrypt SSL auto-renew and setup
:loop
@echo off

C:\Users\root\Desktop\letsencrypt\letsencrypt.exe --renew --accepttos --san --centralsslstore C:\CentralCertificateStore\ --manualhost networkflare.com,www.networkflare.com --webroot C:\Domain\networkflare\

rem command line here to restart apache after the certificates are ready

rem do a if modified check first etc

timeout /t 60 /NOBREAK >NUL
goto loop
pause>nul


I put this together so far and my plan once it was working was to add to windows task scheduler to make windows task scheduler run this script.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 713
Location: Amsterdam, NL, EU

PostPosted: Sun 19 Mar '17 18:47    Post subject: Reply with quote

I do not see why the loop is needed. Just run this command one time every day, using the task scheduler:

Code:
C:\Users\root\Desktop\letsencrypt\letsencrypt.exe --renew --accepttos --san --centralsslstore C:\CentralCertificateStore\ --manualhost networkflare.com,www.networkflare.com --webroot C:\Domain\networkflare\


If your letsencrypt only applies to one domain you should run another task every 59 or 60 days:

Code:
C:\Apache24\bin\httpd.exe -n Apache2.4 -k restart


If your letsencrypt applies to more domains with different renewal times, you can add this command to the letsencrypt renewal task (and restart apache every day).
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2067
Location: Sun Diego, USA

PostPosted: Tue 21 Mar '17 23:58    Post subject: Reply with quote

Semi-off topic but for forward secrecy you should be restarting Apache every day anyway.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6128
Location: Germany, Next to Hamburg

PostPosted: Wed 22 Mar '17 11:27    Post subject: Reply with quote

glsmith wrote:
Semi-off topic but for forward secrecy you should be restarting Apache every day anyway.


True for security. But that kills the PHP cache each time. it would be nice if a graceful restart would not kill the fcgid processes.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2067
Location: Sun Diego, USA

PostPosted: Wed 22 Mar '17 19:40    Post subject: Reply with quote

From my readings IIRC TLS/1.3 should fix this as each connection has it's own whatever-it-is that Apache generates only once on start-up.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Sun 09 Apr '17 17:56    Post subject: Reply with quote

So there is news.

https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

https://blog.qualys.com/ssllabs/2017/04/05/ssl-labs-distrusts-wosign-and-startcom-certificates

So we use Let's encrypt and our certificates are more trusted than the companies that are dishing out paid certificates.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 713
Location: Amsterdam, NL, EU

PostPosted: Sun 09 Apr '17 18:21    Post subject: Reply with quote

Something alike happened to Symantec:
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 234
Location: United Kingdom, London

PostPosted: Sun 09 Apr '17 20:58    Post subject: Reply with quote

I agree with them getting blocked when you pay for something you expect it to be worth the money.

Even like the Symantec statement says "127 certificates" that it still a large number. Even one certificate would be to many for a so called security company. I find it bad they say that as if that justifies it and makes it perfectly ok and acceptable what they are doing.

The beauty of letsencrypt comes in with self signed certificates is that they are domain verified.

And considering Let's encrypt is backed by Google and for free enforces customer trust that their reputation is on the line.

https://letsencrypt.org/sponsors/

Who backs those SSL companies that charge everyone a ton of money ?
And when they are becoming more and more careless and proven to be untrustworthy. I like seeing the fact they are getting punished for all the customers they put at risk. They seem happy enough to take money.

Cloudflare issues SSL for free it is becoming more and more common perhaps they don't like the word "FREE" and see themselves going out of business.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Other Software Goto page Previous  1, 2
Page 2 of 2