You never need to buy another SSL certificate ever again, as Let's Encrypt now provides Wildcard certificates. So one certificate will work with all subdomains you control!
Free SSL Wildcard Certificates - with Let's Encrypt. Available Now, Forever
Last edited 14/03/2018 - 09:37 by 1 other user
Related Stores
Comments
- 1
- 2
who (really) needs an EV cert?
Not you.
who (really) needs an EV cert?
EV…last time I looked LE don't even support OV certs! OV should always be the bare minimum for any site that should be trusted with your personal details or anything eCommerce related. The problem with an OV cert over a DV cert is that there is no clear visible difference to non-technical folk that clearly identify a company has at least gone to some effort to validate their domain for OV certificates. EV certs stand out at least. I issued about 5 EV certs in the last year and they're pretty standard in finance for your critical customer login pages such as Internet banking. But they can be stupidly expensive and its just all about the optics of the company name in the URL bar; apparently it gives customers the warm and fuzzies.
What's all these acronyms?
@Zachary:
While I haven't read it, after some searching:
https://en.wikipedia.org/wiki/Public_key_certificate#Validat…Clearly someone who knows nothing about SSL has downvoted you :( Let's Encrypt isn't the best system for EVERYTHING. Just like a wooden door verses a steel door.
Lets Encrypt's certificates verify that your connection is encrypted, and cannot be intercepted by a 3rd party.
Other certificates actually verify (to various degrees) the identity of the website that you are connecting to. This way you are sure that, say, NAB.com.au is actually NAB the bank and not a phishing site.
@TrevBargn:
Letsencrypt also verify (to various degrees) that you are who you are connecting to.With letsencrypt you still have to go trough verification so its not like anyone can obtain certificate for any domain. Letsencrypt verification is not as rigorous as EV but on par with other certificates. I think letsencrypt certificate is more secure because of the short expiry which lead to more frequent verification.
@TrevBargn: That's not correct, the bare minimum of an SSL cert is to verify the identity of the domain. Encryption is pointless without domain identity confirmation.
@TenaciousTom: Well, sort of. It verifies that the SSL certificate matches the domain - it can't do anything else..
One of the larger problems that LE is introducing is phishing sites using legit SSLs. You can end up on a super dodgy URL, but have Chrome throw up "Secure" and think everything is rosy.
Not that there is anything that can be done (besides making people smarter….)
@ryang: if we want more people to be able to access https, that's the downside.
@ryang:
People with profitable fishy dodgy scammy web sites can afford $10 for a single domain SSL certificates available everywhere - nothing is stopping them from doing it right now.But a lot of people whose web sites are not making any money could not justify extra cost of certificates. Let's encrypt is a huge help there.
That and Google started the whole,not using an SSL certificate? Oh ok well rank you lower.
Facebook app development also requires an SSL.
As you said, if you're not making money or its a hobby, buying an SSL certificate wasn't really justifiable.
@Zachary:
WATA ? IDK, IDK, IDGAFExtended Validation (EV) certificate is one that's issued when the Certificate Authority has performed more than bare minimum identification checks on the organisation requesting a certificate for its website. You can see that a website has an EV when the name of the organisation appears next to the green lock in Firefox and its meant to provide greater confidence to the visitors that the website is operated by the claimed organisation.
or if you need to sign code
For LE wildcard certs?
I don't understand, have these been available for quite a while? Or is the technology old?
I've been using LE since early last year, but the wildcard certs are new
Handy for people with oodles of subdomains, but not so much for multiple servers..
What's the problem w/ multiple servers ?
Only one server can generate the wildcard, so you have to export/import to every other server that needs it. Powershell would help with this, sure, but it's not bulletproof.
Reverse Proxy might help ?
eg - HAProxy / nginx or AWS ELB / ALB or Azure Load Balancer or just IIS ARR
@tofu_soldier: Yep, that'd certainly work.. I was thinking more about multiple servers offering up different subdomains in multiple locations. But for that kind of setup I'd just let each server manage it's own LE cert/renewal.
¯\_(ツ)_/¯
Short expiry but just couple it with lets encrypt 9 beta and set and forget with auto renew.
Less cron jobs! Yay!
Certbot is your friend.
So long as you dont use IIS
Who uses IIS… Yuck.
Oh yeah right…. All the dot com boom devs who still believe the only way to build enterprise applications is with .NET :S
Who is the root with?
Let's Encrypt is a root CA.
I can't seem to find the CA record in default Win/Android/IOS. I dont think they are a root CA themselves but probably onsells other Roots. Otherwise its no point if you have to do CA management yourself. Might as well set up your own CA if that's the case. lol
Cross-signed with Identrust, but LE’s roots should be trusted by now.
I use them fine on Android/iOS/Win, have done for over a year - never had an issue yet.
DST Root CA X3
No idea what this does but I want it. But how do i get it?
It's for people who run multiple sub domains on one domain. Like if you had… pizza.ozbargain.com.au, mobiles.ozbargain.com.au
But you could have always gotten individual free ssl certicates from letsencrypt.org anyways. So this is mainly for convenience, if you have too many sub domains and you don't want to get individual certificates for each one.
Kinda useless for most people.
Use an ACME client with DNS validation. Easiest one is acme.sh and use something like Amazon Route 53
Wildcart SSLs. A few years ago these things were selling for $150/yr.
GoDaddy Wildcard SSL now costs $459/yr.
RapidSSL costs around $249/yr.
Why is it free?
Because security is for everyone.
The real reason was :
"Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”."
https://blog.chromium.org/2018/02/a-secure-web-is-here-to-st…
Rather the opposite I think, I think you will find that Lets Encrypt was the reason Google decided to do this as up until Lets Encrypt announced wildcart certs it is really wasn't feasible for Google to ask this of all sites, the cost of certs was far too expensive for Google to ask this of customers
Except for facebook users
There’s a push to make the Web encrypted-by-default. Pretty soon, if your site doesn’t support HTTPS, browsers will display a big, ugly warning that the site is insecure.
But what about non-profit or personal sites? That’s the point of Let’s Encrypt. It allows them to get SSL certificates to secure the site for free, meaning nobody has an excuse to not use HTTPS.
you will need to modify DNS TXT records in order to demonstrate control over a domain
I am not a newbie in RHEL administration and DNS, but I have no idea what it means or how to do it.
Hate to break it to you but you are… TXT records are a standard part of DNS, along with A, MX, etc.
It seems you are right :)
A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.
Clearly you are a n00b if you don't know what DNS TXT record is…
Most people won't manually do this, but will setup their systems to automate it. You can use acme.sh for example
Just wondering if someone could tell me the use case for this? It will still require renewal every 3 months, so it's not like you get set it up for the parent domain and "set and forget" all the child domains to not need the renewal clients
You can pretty easily set up a script or cron job to try and renew every week or so. Then it's set and forget
No problem there, except some hosts which doesn't have an ACME client. I imagine that even with a wildcard autorenewing on another host automatically, the host without an ACME client will still need manual certificate replacement?
Yes that's right. But you can automate that too :)
Don't use shitty hosts, Lets Encrypt has been around long enough, if a host doesn't provide in cPaenl or WHM the facility to request and auto-renew Lets Encrypt certs change hosts
@oz-stef: I'm using it for some IIS servers, not shared webhosting
If only I had it that easy!
Online forms,
server cert requests,
multiple days wait
billing authorisation
endless people sticking their fingers in
And that is the new streamlined Symantic system!XXXX.qld.gov.au domain
You poor bugger. That'll be the taxpayer money at work, making sure that you don't slack off and do something sensible.
The site has a comprehensive list of software that automate renewal. If you have a lot of child domains, then hopefully you are also running a site configuration management system to push changes to hosts.
Yeh, it's a pretty limited use case, but I imagine there was enough people requesting it..
The short certificate validity is at the core of the Lets Encrypt philosophy.
No problem there, except some hosts which doesn't have an ACME client. I imagine that even with a wildcard autorenewing on another host automatically, the host without an ACME client will still need manual certificate replacement?
If your hosting provider does not support automatic Let's Encrypt certs with a single button click by now, you really need to ask yourself if you want to be paying them for hosting your site(s). Personally, I would request Let's Encrypt support and if the hosting provider did not deliver the feature with two to three months, I'd move elsewhere.
@peteru: lol webhosting
…except when your host still refuses to let you automate the process.
Without shell access it's still very inconvenient.
Here's a list of hosts that seemingly support it intrinsically (no shell access required): https://community.letsencrypt.org/t/web-hosting-who-support-…
Yeah I'm aware of that list, but thanks for the link anyway.
I should clarify that my complaint is with regards to hosts removing a built in feature of cPanel (AutoSSL), which already allows free 90 day Comodo certs without the need for Let's Encrypt at all. My host "accidentally" left this feature on for a while before deciding it's not in their business interests.
It's hard to encourage the world to make all web forms use SSL when the big companies still make it an optional additional cost. Or even worse, take it away.
Have you tried acme.sh? It supports Amazon Route 53, Azure DNS, OVH, etc.
Strictly speaking, acme.sh still requires shell access, but the shell doesn't have to be running on the same host serving HTTPS.
Ask your webhost management team to re-enable it. If they refuse then you should name and shame them.
No. Free wildcard certs have never been available until today. Previously they have been over a hundred dollars each
Will this allow us to create SSLs for sites hosted on Github Pages (with custom domains)?
Not sure, but I believe you can use your domain with Cloudflare's free plan which comes with SSL cert.
https://blog.cloudflare.com/secure-and-fast-github-pages-wit…
Thanks heaps! :-)
sweet! i was tired of having a list of subdomains in my certbot ini file. now i can do away with those extra characters saving valuable space!
nah seriously - whenever i add a new app at home i have to make a new subdomain for it and go through getting new certificates so this makes my life much easier. thanks for the heads up!
Geekiest OzBargain post and comments ever?
hmmm.. well.. do I need these certs… ? Yes… no … Don't know…
I mean, you don't need to "rush in and buy this asap" and it doesn't get OzBargain'd lol.
I use this script to maintain all of mine: https://github.com/Neilpang/acme.sh
This + a cron job and I haven't had to worry about them for a good 6+ months.How long did the process take to get your cert?
The process itself - about 60 seconds.. :D
You'll need some previous knowledge and a capable system first though.
This deal is for wildcard certs… available from today
I wouldn't call it a "deal", but yes, I obviously overlooked the wildcard bit. Mea culpa.
Crazy Domains would not use Let's Encrypt certs last time I tried. I had to pay for their ones.
FYI:
Siteground look after Let's Encrypt renewals for you, automatically.have you tried again?
Yep not in their list
https://community.letsencrypt.org/t/web-hosting-who-support-…
Last time I checked Crazy Domains it wasn't a fair price for the SSL certificate specially because we are a NFP.
Maybe it's time for us to switch.They charged me $30 / Year for the SSL Cert. Not bad if you only have 1 domain, but if you have more it is expensive.
yeah not bad, I just checked their website, it's now $23.88/yr without EV, maybe I'll get one :D
Any deals on Code Signing Certificate?
Do these certs work for Microsoft Exchange and TMG 2010 servers?
I should imagine so, if you want to manually update them every month or so.
Work, yes. Auto renew, not easily. There are some powershell scripts around that claim to work, but they're hit n miss.
For an Exchange server, just buy a cert. It's only ~$20/year..
May I know which provider gives a UCC for $20?
https://www.gogetssl.com/multi-ssl/multi-domain-ssl/
~$16USD/year for 2 years, depending on current conversion rate.
@ryang:
thanks mate
can some1 tell me how to actually generate a certificate so I can apply it to IIS myself?
- 1
- 2
Unless you need EV.