Quantcast

Let's Encrypt experience

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Let's Encrypt experience

»Q«
My host, Dreamhost, added automated support for Let's Encrypt
certificates about a month ago, and I just got around to giving them a
try.  

As promised, it's simple and quick;  one click to add a cert,
another one to check the box to accept LE's ToS, and a third click to
finish.  

Dreamhost immediately adds a self-signed certificate, then switches to
the LE cert once it's been issued.  For a new domain, this took a few
hours;  I think the LE process can't go forward until the domain starts
showing up in LE's dns queries.  For an existing domain (already in
dns), the self-signed cert was replaced with an LE one within a few
minutes.

Once the LE cert is in place, anyone can access the site via https
rather than http, so if that's all you want, you're done after those
three clicks.  Disabling http takes a little more work, not much.  My
host uses Apache, so what follows is for Apache .htaccess files.

To simply forbid https connections, this will work in .htaccess:

  Require ssl

That will just deny access (403 Forbidden) to any non-https attempt to
connect.  The recipes that use that also set up the root index page as
the page that gets served when there's a 403, so anyone trying to
connect to any page via http gets redirected to the site's home page
using https.  ISTM that's probably ok for a new domain, but for an
existing domain with http links already in the wild, redirecting users
to the home page would cause confusion.  I guess it would make more
sense to use 403 for things like login pages.

Instead of denying all http access, you can use mod_rewrite to redirect
anyone requesting http://example.com/path/to/resource.htm to
https://example.com/path/to/resource.htm :

  RewriteEngine On
  RewriteBase /
  RewriteCond %{HTTPS} !=on
  RewriteRule .* <a href="https://%">https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

There are a couple of other ways to do the RewriteRule, but they amount
to the same thing.  301 is "Moved Permanently";  some recipes I saw use
302 (Found) instead.  At first, I made the mistake of putting that
rule below other rewrite rules;  it should come before any others.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's Encrypt experience

»Q«
In <news:[hidden email]>,
»Q« <[hidden email]> wrote:

> Instead of denying all http access, you can use mod_rewrite to
> redirect anyone requesting http://example.com/path/to/resource.htm to
> https://example.com/path/to/resource.htm :
>
>   RewriteEngine On
>   RewriteBase /
>   RewriteCond %{HTTPS} !=on
>   RewriteRule .* <a href="https://%">https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

I meant to add that people whose browsers use Windows XP's certificate
handling aren't able to verify Let's Encrypt certs.  The LE people are
trying to figure out why and do something about it, but I couldn't
follow any of it.  It affects Windows XP users of IE and Chrome (but
not Firefox, which has its own cert checking).  One workaround (I'm not
using one, coz I don't care if XP IE users are locked out) is adding
another rewrite condition excluding XP users from being redirected.

  RewriteEngine On
  RewriteBase /
  RewriteCond %{HTTPS} !=on
  RewriteCond "%{HTTP_USER_AGENT}" "!(Windows\ NT\ 5\.1|Windows\ NT\ 5\.2)" [NC]
  RewriteRule .* <a href="https://%">https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]


_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's Encrypt experience

Sailfish-4
In reply to this post by »Q«
My bloviated meandering follows what »Q« graced us with on 2/15/2016
12:30 PM:

> My host, Dreamhost, added automated support for Let's Encrypt
> certificates about a month ago, and I just got around to giving them a
> try.  
>
> As promised, it's simple and quick;  one click to add a cert,
> another one to check the box to accept LE's ToS, and a third click to
> finish.  
>
> Dreamhost immediately adds a self-signed certificate, then switches to
> the LE cert once it's been issued.  For a new domain, this took a few
> hours;  I think the LE process can't go forward until the domain starts
> showing up in LE's dns queries.  For an existing domain (already in
> dns), the self-signed cert was replaced with an LE one within a few
> minutes.
>
> Once the LE cert is in place, anyone can access the site via https
> rather than http, so if that's all you want, you're done after those
> three clicks.  Disabling http takes a little more work, not much.  My
> host uses Apache, so what follows is for Apache .htaccess files.
>
> To simply forbid https connections, this will work in .htaccess:
>
>   Require ssl
>
> That will just deny access (403 Forbidden) to any non-https attempt to
> connect.  The recipes that use that also set up the root index page as
> the page that gets served when there's a 403, so anyone trying to
> connect to any page via http gets redirected to the site's home page
> using https.  ISTM that's probably ok for a new domain, but for an
> existing domain with http links already in the wild, redirecting users
> to the home page would cause confusion.  I guess it would make more
> sense to use 403 for things like login pages.
>
> Instead of denying all http access, you can use mod_rewrite to redirect
> anyone requesting http://example.com/path/to/resource.htm to
> https://example.com/path/to/resource.htm :
>
>   RewriteEngine On
>   RewriteBase /
>   RewriteCond %{HTTPS} !=on
>   RewriteRule .* <a href="https://%">https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
>
> There are a couple of other ways to do the RewriteRule, but they amount
> to the same thing.  301 is "Moved Permanently";  some recipes I saw use
> 302 (Found) instead.  At first, I made the mistake of putting that
> rule below other rewrite rules;  it should come before any others.

Sweet! +1

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's Encrypt experience

Ant-21
On 2/15/2016 7:04 PM, Sailfish wrote:
...
> Sweet! +1

"What does mine say?" +1 to answer it right. ;) [grin]
--
"This isn't a war. It never was a war, any more than there's war between
man and ants." --artilleryman from H.G. Wells' The War of the Worlds
Note: A fixed width font (Courier, Monospace, etc.) is required to see
this signature correctly.
    /\___/\         Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
   / /\ /\ \                Ant's Quality Foraged Links: http://aqfl.net
  | |o   o| |
     \ _ /        If crediting, then use Ant nickname and AQFL URL/link.
      ( )              Chop ANT from its address if e-mailing privately.
Ant is currently not listening to any songs on this computer.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's Encrypt experience

Sailfish-4
In reply to this post by Sailfish-4
My bloviated meandering follows what »Q« graced us with on 2/18/2016
8:30 PM:

> In <news:[hidden email]>,
> Sailfish <[hidden email]> wrote:
>
>> Sweet! +1
>
> I'm glad it was helpful, or at least reassuring.  :)
>
> A little more trivia:
>
> I just added LE certs for the rest of my subdomains, so I was
> editing .htaccess files again.  I noticed some new directories on the
> server, [site root]/.well-known/acme-challenge/ , with some hashes in
> them.  I did just enough searching to find out they're part of how the
> LE server verifies the domain really is under the control of the agent
> which has requested the cert, so they have to stay there and be public.

REF:
http://www.zdnet.com/article/lets-encrypt-reaches-one-million-certificate-encryption-milestone/

[excerpt quote=\"
Let's Encrypt has reached a personal milestone in its quest to better
secure the Web with one million free TLS certificates now issued to
webmasters who wish to better secure their domains.
\" /]

Must be nice to know you're one in a million, to someone :_)

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's Encrypt experience

Sailfish-4
In reply to this post by Sailfish-4
My bloviated meandering follows what Sailfish graced us with on
2/15/2016 7:04 PM:

> My bloviated meandering follows what »Q« graced us with on 2/15/2016
> 12:30 PM:
>> My host, Dreamhost, added automated support for Let's Encrypt
>> certificates about a month ago, and I just got around to giving them a
>> try.
>> As promised, it's simple and quick;  one click to add a cert,
>> another one to check the box to accept LE's ToS, and a third click to
>> finish.
>> Dreamhost immediately adds a self-signed certificate, then switches to
>> the LE cert once it's been issued.  For a new domain, this took a few
>> hours;  I think the LE process can't go forward until the domain starts
>> showing up in LE's dns queries.  For an existing domain (already in
>> dns), the self-signed cert was replaced with an LE one within a few
>> minutes.
>>
>> Once the LE cert is in place, anyone can access the site via https
>> rather than http, so if that's all you want, you're done after those
>> three clicks.  Disabling http takes a little more work, not much.  My
>> host uses Apache, so what follows is for Apache .htaccess files.
>>
>> To simply forbid https connections, this will work in .htaccess:
>>
>>   Require ssl
>>
>> That will just deny access (403 Forbidden) to any non-https attempt to
>> connect.  The recipes that use that also set up the root index page as
>> the page that gets served when there's a 403, so anyone trying to
>> connect to any page via http gets redirected to the site's home page
>> using https.  ISTM that's probably ok for a new domain, but for an
>> existing domain with http links already in the wild, redirecting users
>> to the home page would cause confusion.  I guess it would make more
>> sense to use 403 for things like login pages.
>>
>> Instead of denying all http access, you can use mod_rewrite to redirect
>> anyone requesting http://example.com/path/to/resource.htm to
>> https://example.com/path/to/resource.htm :
>>
>>   RewriteEngine On
>>   RewriteBase /
>>   RewriteCond %{HTTPS} !=on
>>   RewriteRule .* <a href="https://%">https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
>>
>> There are a couple of other ways to do the RewriteRule, but they amount
>> to the same thing.  301 is "Moved Permanently";  some recipes I saw use
>> 302 (Found) instead.  At first, I made the mistake of putting that
>> rule below other rewrite rules;  it should come before any others.
>
> Sweet! +1
>
I realized I'm a laggard wrt this but it was low on my priority list and
I kept adding stuff on top of it. Anyway, since Fx 52 today now flags
http protocol as non-secure, I decided it was time to fix and enable
https for my domains and sub-domains. And, yes, it was quite simple to
enable it so I'm a bit embarrassed I waited. I've not yet disable my
http protocol but I've put it on my list ... Yes, the same list and,
shamefully, near the bottom :-)

Anyway, thanks for the heads up.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/zoqw3qe
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Loading...