SSL/TLS Certificates: Self-Signed, Let's Encrypt, Etc


#1

Yeah, the soluion is to create your own CA and sign whatever server certificates you need (this is what I do with my own sites). You get the benefit of self-signed certificates without dealing with a third-party issuer. You add the root CA to your iOS device and any apps that use the native APIs for verification will simply work.

But, yes, it’s annoying to have to change stuff that always worked in the past. :frowning:


A quick question about mobile themes
#2

Or, assuming said home server is accessible from outside your home network, just use LetsEncrypt for SSL certificates. They’re free, and it’s easy to automate the renewal. No need for your own CA, and the upstream one that signs their CA cert is trusted in all major OS/browsers for years now.


#3

Meaning, install and enable a third party repository so I can run third party software so a third party can sign off on my certificate that only I use. Rather than just run the 6 line script I wrote myself.

What a winning option.

I get that you mean well, and I appreciate your efforts. I’ve gone rounds with Tiberius about this already. I don’t expect his opinion to change, and mine’s not going to, either. I’ll simply no longer use his software.


#4

What’s wrong with LetsEncrypt?


#5

People do not know about it or find it hard to use? …


#6

#7

The former is in part why I keep on mentioning it in this context.

The latter is really not true, certainly once the initial setup is done. At most you might need to automate putting the new cert files in the right place for your web server of choice. I attempt renewals weekly (no harm if nothing is due yet, i.e. within 30 days of the 90 day lifetime expiring) and the script that does that detects relevant new files and ensures they go in the right place and things are reloaded if necessary (I use LetsEncrypt certs for SMTP and IMAP as well).

And I set most of that up a year or more ago, I’m sure the initial setup has gotten easier since then. For me this is easier than having to roll your own CA and figure out how to get that onto all relevant devices, and trusted by them.


#8

We’re already way off-topic in this thread, but I’ll point out that you should be careful if you do this. Make sure each service (HTTPS, SMTP, etc.) has a different certificate and private key. Being lazy and just using the same certificate makes you vulnerable to DROWN.


#9

I don’t think so:

“The DROWN attack is a cross-protocol security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure”

Who still has SSL v2 active ? The dovecot in Debian doesn’t even know about SSLv2 any more, nor does its Exim4.


#10

DROWN has to do with using SSLv2, Athanasius also never said he was using the same certificate and private key for different services, so this warning is quite off-topic indeed.


#11

Straight from Wikipedia (emphasis mine):

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.

If you’re running mail or anything else, setting the protocols and ciphers should be a normal part configuring. We do it with web servers and we should do it with email, too.


#12

Indeed I do not, although for Reasons[tm] (mostly due to using the http method of verification to obtain the certs, I should look into the DNS method) an alternate name is shared with an HTTPS certificate.

I can see how my wording could have lead to such a mis-reading though.


#13

I set up my main web server a couple years back, it’s been autorenewing ever since. And yeah, the initial setup is easier than it was… I used that script I linked above recently on a different project… and honestly had a “that’s all there is to make it work???” moment… lol


#14

It has indeed gone much easier with certbot even configuring nginx for you. I find it trivial to do but then again, I am not clueless… :slight_smile: Most of the time.