The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,887 other followers

Archive for the ‘Let’s Encrypt (letsencrypt/certbot)’ Category

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

Posted by jpluimers on 2019/03/06

If I ever need to get LetsEncrypt to work with CloudFlare, then I need to read [WayBackInstalling Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

The steps there should save me hours.

Via [WayBcack] Free Let’s Encrypt SSL/TLS certificates are even easier to install than self-signed certificates. I could do so in 2 minutes in my +Linode … – Jean-Luc Aufranc – Google+.

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

If parts of your letsencrypt renewals succeed and others give you “urn:acme:error:connection” then just retry

Posted by jpluimers on 2018/12/10

On the same server, part of my letsencrypt renewals worked fine, while others had an error like this:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/spring4d.4delphi.com.conf produced an unexpected error: Failed authorization procedure. spring4d.4delphi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
...
 - The following errors were reported by the server:

   Domain: spring4d.4delphi.com
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

A retry worked fine:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
...
The following certs were successfully renewed:
  /etc/letsencrypt/live/spring4d.4delphi.com/fullchain.pem (success)

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Nice thread starting on the current state of CAs promoting OV/EV instead of doing innovation, with many comments on how to properly use LetsEncrypt

Posted by jpluimers on 2018/08/24

[Archive.isThread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by p… – Kristian Köhntopp – Google+

On CAs: [Archive.is] Thread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by promoting OV/EV. It’s almost as if they believe that 1988 had all the solutions, and we’ve been declining since then. Example: Let’s say we accept that organizational identity is a valuable component. Coupling it to TLS is terrible, because it encourages all the bad practices we see – such as making it hard to obtain or automate certificates, discouraging key rotation, extending cert lifetime […]”

–jeroen

Twitter thread:

 

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL

Posted by jpluimers on 2018/03/07

It was fitting to bump into [WayBack] Packet Sender is a good tool when debugging protocols…” Written by Dan Nagle… – Lars Fosdal – Google+ on the day presenting [WayBack] Conferences/Network-Protocol-Security.rst at master · jpluimers/Conferences · GitHub

It also means that libssh2-delphi is getting a bit more love soon and will move to github as well after a conversion from mercurial.

Some of the things I learned or got confirmed teaching the session (I love learning by teaching):

Here is some more info:

–jeroen

Read the rest of this entry »

Posted in Communications Development, Delphi, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), OpenSSL, Power User, Security, Software Development, TCP, TLS | Leave a Comment »

ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Posted by jpluimers on 2018/01/11

Now that so many sites depend on LetsEncrypt: maybe it is time for a second one.

We’ve received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We’ll post more information soon.

Source: [Archive.isACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Via:

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

 
%d bloggers like this: