[Chugalug] Lets Encrypt - Chugalug.org

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] Lets Encrypt - Chugalug.org

Mike Harrison-4

As I’m starting to crawl out from underneath a rock (of my own making) and re-enter the (public geeky) world, I’m doing some cleanup on things that need it. Including Chugalug.org.

It’s now SSL Encrypted thanks to the EFF and LetsEncrypt.org.

If anyone notices anything weird, please let me know.

Side note: First time I’ve played with LetsEncrypt. “CertBot” seems to have done a nice job on the apache .conf file and made it very easy. Impressive. Thanks EFF.




_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Andrew Rodgers-2
Certbot is nice, but make sure you have a some free memory reserved for the cron job. It's so all-inclusive-self-updating that it's a lot heavier than it needs to be and will fail on hosts with low free memory. That's bitten me a few times on the one last artisanally administered server I operate.

On Sun, Sep 10, 2017 at 8:36 PM Mike Harrison <[hidden email]> wrote:

As I’m starting to crawl out from underneath a rock (of my own making) and re-enter the (public geeky) world, I’m doing some cleanup on things that need it. Including Chugalug.org.

It’s now SSL Encrypted thanks to the EFF and LetsEncrypt.org.

If anyone notices anything weird, please let me know.

Side note: First time I’ve played with LetsEncrypt. “CertBot” seems to have done a nice job on the apache .conf file and made it very easy. Impressive. Thanks EFF.




_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Andy Burnett
In reply to this post by Mike Harrison-4
I set up a Lets Encrypt cert on my personal site (https://burnett.cc), and
you better believe I felt like this guy after I finally figured out how to
make it work...

http://i.imgur.com/zYWEpuv.gif




--
Sent from: http://chugalug.1100489.n5.nabble.com/
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Dave Brockman
In reply to this post by Andrew Rodgers-2
On 9/11/2017 8:50 AM, Andrew Rodgers wrote:
> Certbot is nice, but make sure you have a some free memory reserved for
> the cron job. It's so all-inclusive-self-updating that it's a lot
> heavier than it needs to be and will fail on hosts with low free memory.
> That's bitten me a few times on the one last artisanally administered
> server I operate.

I prefer a lighter touch that just handles the cert business,
security/acme-client works well on FreeBSD for me.  I set up the nginx
conf file(s) myself then cron takes care of the rest.

Regards,

dtb


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

William D. Roush
In reply to this post by Andrew Rodgers-2

Certbot’s plugin support has been kind of trashy though, having to move from haproxy’s plugin to self-hosted. Bleh.

 

From: Chugalug [mailto:[hidden email]] On Behalf Of Andrew Rodgers
Sent: Monday, September 11, 2017 8:51 AM
To: Cha. Unix Gnu Android Linux User Group <[hidden email]>
Subject: Re: [Chugalug] Lets Encrypt - Chugalug.org

 

Certbot is nice, but make sure you have a some free memory reserved for the cron job. It's so all-inclusive-self-updating that it's a lot heavier than it needs to be and will fail on hosts with low free memory. That's bitten me a few times on the one last artisanally administered server I operate.

 

On Sun, Sep 10, 2017 at 8:36 PM Mike Harrison <[hidden email]> wrote:


As I’m starting to crawl out from underneath a rock (of my own making) and re-enter the (public geeky) world, I’m doing some cleanup on things that need it. Including Chugalug.org.

It’s now SSL Encrypted thanks to the EFF and LetsEncrypt.org.

If anyone notices anything weird, please let me know.

Side note: First time I’ve played with LetsEncrypt. “CertBot” seems to have done a nice job on the apache .conf file and made it very easy. Impressive. Thanks EFF.




_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Mike Harrison-4

From: Chugalug [mailto:[hidden email]] On Behalf Of Andrew RodgersCertbot is nice, but make sure you have a some free memory reserved for the cron job. It's so all-inclusive-self-updating that it's a lot heavier than it needs to be and will fail on hosts with low free memory. That's bitten me a few times on the one last artisanally administered server I operate.



in: /etc/cron.d/certbot

#0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

You mean loading Perl just to get a random sleep is a bad idea? 

I changed my crontab entry to behave how I wanted... piping "certbot renew" to a mailer so I'll see how it works, once a week.

I got a laugh out of "artisanally administered".. For me, that's the default. All of my boxen are bespoke. 











_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Adam Jimerson
In reply to this post by Dave Brockman
I agree with Dave, I'm big supporter of Lets Encrypt and glad that the EFF, Linux Foundation, et al got together and made it possible I'm not a fan of their Certbot though.

For me Lego (https://github.com/xenolf/lego), a shell script with a list of domains to generate certs for and an email address to register the certs as, and cron gets the job done.

Another alternative I found is if replacing the webserver is an option you're willing to consider Caddy (https://caddyserver.com/) is a lightweight web server that is HTTP/2 out of the box and automatically registers and renews Lets Encrypt certs for domains it serves. It's an open source product that you can download and use for free. Their sponsorship and paid plan is expensive IMO. 

On Mon, Sep 11, 2017 at 10:54 AM Dave Brockman <[hidden email]> wrote:
On 9/11/2017 8:50 AM, Andrew Rodgers wrote:
> Certbot is nice, but make sure you have a some free memory reserved for
> the cron job. It's so all-inclusive-self-updating that it's a lot
> heavier than it needs to be and will fail on hosts with low free memory.
> That's bitten me a few times on the one last artisanally administered
> server I operate.

I prefer a lighter touch that just handles the cert business,
security/acme-client works well on FreeBSD for me.  I set up the nginx
conf file(s) myself then cron takes care of the rest.

Regards,

dtb

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Dr.D

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Adam Jimerson
With today's hardware the extra work on the server is a bit moot unless your server(s) is/are completely bogged down as is.

The question that keeps coming up that I have yet to see a valid response to is, does every site including some random Joe's food blog or whatever really need to be under HTTPs. I'm all for the idea personally, and pro-encryption in general, just trying to see the end goal.

On Tue, Sep 12, 2017 at 9:48 AM Don Peek <[hidden email]> wrote:

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Aaron welch
If all sites were more secure, it would remove some of the low hanging fruit from hackers. Less CPUs in a bot net is a win for everyone.

-AW


On Tue, Sep 12, 2017 at 10:15 AM, Adam Jimerson <[hidden email]> wrote:
With today's hardware the extra work on the server is a bit moot unless your server(s) is/are completely bogged down as is.

The question that keeps coming up that I have yet to see a valid response to is, does every site including some random Joe's food blog or whatever really need to be under HTTPs. I'm all for the idea personally, and pro-encryption in general, just trying to see the end goal.

On Tue, Sep 12, 2017 at 9:48 AM Don Peek <[hidden email]> wrote:

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug




--
Aaron Welch
Chief Mechanic @ Geek Ventures
423-505-9999
[hidden email]
"Enabling people to do great things with their own ideas."

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Adam Jimerson
Agreed, but that comes down to more of the server/end device security rather than transport security. If someone wants to MITM my connection to Joe Smoes's food blog because I wanted what his opinion of the Lemon Meringue Pie at the store down the street and I didn't need to provide any information to request the information (no authentication, etc) other than a GET request initiated by my browser then that is one thing.  If Joe Smoe's blog is hosted on some shitty insecure service, wide open on the net, has stupid poorly configured services exposed to the public net that is a whole different issue that needs addressing.

I was mainly pointing the fact that is one of the bigger questions I have yet to see an answer for.

On Tue, Sep 12, 2017 at 10:44 AM Aaron welch <[hidden email]> wrote:
If all sites were more secure, it would remove some of the low hanging fruit from hackers. Less CPUs in a bot net is a win for everyone.

-AW


On Tue, Sep 12, 2017 at 10:15 AM, Adam Jimerson <[hidden email]> wrote:
With today's hardware the extra work on the server is a bit moot unless your server(s) is/are completely bogged down as is.

The question that keeps coming up that I have yet to see a valid response to is, does every site including some random Joe's food blog or whatever really need to be under HTTPs. I'm all for the idea personally, and pro-encryption in general, just trying to see the end goal.

On Tue, Sep 12, 2017 at 9:48 AM Don Peek <[hidden email]> wrote:

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug




--
Aaron Welch
Chief Mechanic @ Geek Ventures
<a href="tel:(423)%20505-9999" value="+14235059999" target="_blank">423-505-9999
[hidden email]
"Enabling people to do great things with their own ideas."
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Lynn Dixon
DirectAdmin makes LetsEncrypt deployment and renewal really easy for all domains you have managed under it.  Renewals are totally automated by the DirectAdmin scripts / Cron

On Sep 12, 2017 11:06 AM, "Adam Jimerson" <[hidden email]> wrote:
Agreed, but that comes down to more of the server/end device security rather than transport security. If someone wants to MITM my connection to Joe Smoes's food blog because I wanted what his opinion of the Lemon Meringue Pie at the store down the street and I didn't need to provide any information to request the information (no authentication, etc) other than a GET request initiated by my browser then that is one thing.  If Joe Smoe's blog is hosted on some shitty insecure service, wide open on the net, has stupid poorly configured services exposed to the public net that is a whole different issue that needs addressing.

I was mainly pointing the fact that is one of the bigger questions I have yet to see an answer for.

On Tue, Sep 12, 2017 at 10:44 AM Aaron welch <[hidden email]> wrote:
If all sites were more secure, it would remove some of the low hanging fruit from hackers. Less CPUs in a bot net is a win for everyone.

-AW


On Tue, Sep 12, 2017 at 10:15 AM, Adam Jimerson <[hidden email]> wrote:
With today's hardware the extra work on the server is a bit moot unless your server(s) is/are completely bogged down as is.

The question that keeps coming up that I have yet to see a valid response to is, does every site including some random Joe's food blog or whatever really need to be under HTTPs. I'm all for the idea personally, and pro-encryption in general, just trying to see the end goal.

On Tue, Sep 12, 2017 at 9:48 AM Don Peek <[hidden email]> wrote:

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug




--
Aaron Welch
Chief Mechanic @ Geek Ventures
<a href="tel:(423)%20505-9999" value="+14235059999" target="_blank">423-505-9999
[hidden email]
"Enabling people to do great things with their own ideas."
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

Dan Lyke
In reply to this post by Aaron welch
On Tue, 12 Sep 2017 10:44:17 -0400
Aaron welch <[hidden email]> wrote:
> If all sites were more secure, it would remove some of the low hanging
> fruit from hackers. Less CPUs in a bot net is a win for everyone.

It's not just bot nets: Those recent buggy AT&T Motorola CPE upgrades
loaded a kernel module that enabled MitM stuff, and we've long known
that things like hotel WiFi do ad insertion on HTTP traffic.

Which means that even on your own network, you simply don't know if
what you're getting in an HTTP stream is what the server sent. Ever.

And with even "legit" local news sources serving up malware ads (I got
one this weekend from my local paper that was trying to get me to
download some Android malware), more and more we need to know that what
we're reading is what the server was sending.

Dan
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
wes
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Lets Encrypt - Chugalug.org

wes
In reply to this post by Adam Jimerson
There is another factor to this that is a little bit further reaching than the people who just look at the immediate implications usually see.

If we only encrypt sensitive data, it will paint a very large target on that data. If we encrypt everything, a malicious party will have to DEcrypt everything in order to get the good stuff. It just makes their job harder, which is a good thing.

-wes

On Tue, Sep 12, 2017 at 7:15 AM, Adam Jimerson <[hidden email]> wrote:
With today's hardware the extra work on the server is a bit moot unless your server(s) is/are completely bogged down as is.

The question that keeps coming up that I have yet to see a valid response to is, does every site including some random Joe's food blog or whatever really need to be under HTTPs. I'm all for the idea personally, and pro-encryption in general, just trying to see the end goal.

On Tue, Sep 12, 2017 at 9:48 AM Don Peek <[hidden email]> wrote:

I know some people who are  saying Google want encrypt everything on the server.   
I think that would be a lot of extra work on a server..

 

fyi..  The Virtualmin control panel supports Lets Encrypt ..

And I have been using it on some sites…

 

Don

 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug