The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,157 other followers

Archive for the ‘Let’s Encrypt (letsencrypt/certbot)’ Category

SSL certificates – not optional | Open Query Pty Ltd

Posted by jpluimers on 2020/09/04

Some tips on using the certbot for Let’s Encrypt and the support for wildcard certificates through DNS updates: [WayBack] SSL certificates – not optional | Open Query Pty Ltd

–jeroen

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Users are right: http is a thing from the past and https is the way to go forward.

This means you need to ensure your web sites to serve https well, which starts with servicing https at all and includes serving a correct https certificate for them.

Often, IT departments are not even aware that when serving http for a domain, the endpoint also answers https requests for that domain.

WordPress.com was really bad at this when servicing custom domains ordered from their premium plans. Which was odd, as customers payed for those domains. They solved this in spring 2016, they started to use LetsEncrypt (which started in 2015) for their certificates: [WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog.

So this is what you need to do for all your subdomains:

  1. check if they are serviced by http
  2. contemplate (in fact urge to) servicing https for them
  3. when an endpoint services https, ensure the certificates for it are correct
  4. do not mix https and http in the same site
  5. avoid redirecting from https to http

Adopting https can be tedious, but many sites have already done this and wrote down their experiences, even back in 2016:

Many sites still get their https configuration wrong though, and this post is a reminder to myself for one of them.

Read the rest of this entry »

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Viewing certbot installed certificates and their expiry dates

Posted by jpluimers on 2020/01/24

A simple tip on the certbot command-line from [WayBackUser Guide — Certbot 0.19.0.dev0 documentation – Managing certificates (Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.):

To view a list of the certificates Certbot knows about, run the certificates subcommand:

certbot certificates

This returns information in the following format:

Found the following certs:
  Certificate Name: example.com
    Domains: example.com, www.example.com
    Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Via: [WayBack] It there a command to show how many days certificate you have? – Server – Let’s Encrypt Community Support

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

if you allow users to register email addresses on your domain, make sure they can’t get: admin@ administrator@ hostmaster@…

Posted by jpluimers on 2019/12/16

Great tip from: [Archive.isMichal Špaček on Twitter: “Friendly reminder: if you allow users to register email addresses on your domain, make sure they can’t get: admin@ administrator@ hostmaste… https://t.co/wUHXrQC2J0”:

 Friendly reminder: if you allow users to register email addresses on your domain, make sure they can’t get:
  • admin@
  • administrator@
  • hostmaster@
  • postmaster@
  • webmaster@ (and others from RFC 2142)

otherwise users might be able to get an HTTPS certificate for your domain.

–jeroen

Read the rest of this entry »

Posted in Encryption, https, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Running a feature branch from the letsencrypt certbot

Posted by jpluimers on 2019/09/27

So I won’t forget; the steps below based on and assumes ~/Versioned is the directory where you keep repositories in:

# cd ~/Versioned
# git clone https://github.com/certbot/certbot.git
...
# cd certbot
# git fetch --all
Fetching origin
# git checkout alt_override
Branch 'alt_override' set up to track remote branch 'alt_override' from 'origin'.
Switched to a new branch 'alt_override'
# ./certbot-auto --os-packages-only
OS packages installed.
# ./tools/venv.sh
... very long log ...
Please run the following command to activate developer environment:
source venv/bin/activate
# source ./venv/bin/activate
[venv] # venv/bin/certbot renew --force-renewal

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

 
%d bloggers like this: