Best CA for SSL Certificates

JaredBusch

@travisdh1 said in Best CA for SSL Certificates:

@EddieJennings said in Best CA for SSL Certificates:

I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...

What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!

Because the only way to have a single never changing cert is a wildcard.

The people that need a wildcard are usually in an organization with active development and managing LE would be a nightmare. Or a massive org with tons of stuff where a single wildcard can be put on all servers instead of every server having a variation of some few certs from LE.

There are very, very good reasons to use a wildcard cert for people that do more than you little dozen servers.

People are used to being able to get a wildcard from their CA. Free or not. LE not even having that option is the oddity here. Now LE is this way for a very good reason, but that does not negate the fact that every prior CA operated differently than LE.

dbeato

We use Godaddy and Let's Encrypt.

jrc

My first question here would be what type of certs? For DV certs, then I'd say go with LE like everyone says. But if you need EV or Wildcard then you'll need to buy some. I suggest DigiCert.

Stay the hell away from Register.com for certs. Their customer support is horrid and they just re-sell certs and do not allow their customers to speak to the actual CA for support, so any issues take forever to get solved.

scottalanmiller

@jrc said in Best CA for SSL Certificates:

Stay the hell away from Register.com ...

period.

Emad R

@scottalanmiller

but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139

How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?

travisdh1

@msff-amman-Itofficer You're probably seeing apps that do not use the Windows certificate management, Chrome would be one example. Those apps will need the certificate added as well.

coliver

@msff-amman-Itofficer said in Best CA for SSL Certificates:

@scottalanmiller

but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139

How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?

Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.

travisdh1

@coliver said in Best CA for SSL Certificates:

@msff-amman-Itofficer said in Best CA for SSL Certificates:

@scottalanmiller

but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139

How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?

Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.

Ah, I missed that part. @coliver is correct.

WLS-ITGuy

I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

JaredBusch

@WLS-ITGuy said in Best CA for SSL Certificates:

I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

If you are redirecting, you have no need to disable http. You can of course. But then you also do not need the redirect.

scottalanmiller

Jared is correct, redirection is only a thing if HTTP is up and running.

BRRABill

@WLS-ITGuy said in Best CA for SSL Certificates:

I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

That is actually a good question.

If you are redirecting, does http need to be open on the firewall, since the original traffic is coming in on it?

scottalanmiller

@BRRABill said in Best CA for SSL Certificates:

@WLS-ITGuy said in Best CA for SSL Certificates:

I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

That is actually a good question.

If you are redirecting, does http need to be open on the firewall, since the original traffic is coming in on it?

Yes, if HTTP isn't there and working, how can it do the redirect?

BRRABill

@scottalanmiller said in Best CA for SSL Certificates:

@BRRABill said in Best CA for SSL Certificates:

@WLS-ITGuy said in Best CA for SSL Certificates:

I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

That is actually a good question.

If you are redirecting, does http need to be open on the firewall, since the original traffic is coming in on it?

Yes, if HTTP isn't there and working, how can it do the redirect?

Magic, of course.

NashBrydges

@JaredBusch I setup a cert for a Windows server just this morning using this...

https://github.com/Lone-Coder/letsencrypt-win-simple

Absolutely flawless on initial cert binding and scheduled task creation for renewal. Guess I'll have to wait the 89 days to see if renewal works as easily as the initial setup did.

JaredBusch

@NashBrydges said in Best CA for SSL Certificates:

@JaredBusch I setup a cert for a Windows server just this morning using this...

https://github.com/Lone-Coder/letsencrypt-win-simple

Absolutely flawless on initial cert binding and scheduled task creation for renewal. Guess I'll have to wait the 89 days to see if renewal works as easily as the initial setup did.

Assuming that it works like certbot and the standard LE renew conf files are used, it should renew at 90 days.

JaredBusch

@NashBrydges said in Best CA for SSL Certificates:

@JaredBusch I setup a cert for a Windows server just this morning using this...

https://github.com/Lone-Coder/letsencrypt-win-simple

Absolutely flawless on initial cert binding and scheduled task creation for renewal. Guess I'll have to wait the 89 days to see if renewal works as easily as the initial setup did.

Just looked at that project and realized I looked at it back in December. Not stable enough for my tastes based on reading the pull requests and open issues.

Danp

@JaredBusch said in Best CA for SSL Certificates:

Yeah, Windows just is not there yet. Someone will get a solid application wrote eventually.

Ran across Certify for Windows just now. Anybody tried it yet?

IRJ

@Danp said in Best CA for SSL Certificates:

@JaredBusch said in Best CA for SSL Certificates:

Yeah, Windows just is not there yet. Someone will get a solid application wrote eventually.

Ran across Certify for Windows just now. Anybody tried it yet?

Here's the GitHub page for it.

https://github.com/webprofusion/certify

It looks cool, but I'd be wary to use in anything even close to production. I might try it on a secluded test server, since the project is in alpha.

IRJ

This line on GitHub about the project makes me even more weary:

Time spent on developing Certify is extremely limited. If you have a bug or feature and you can fix the problem yourself please just:

File a new issue
Fork the repository
Make your changes
Submit a pull request, detailing the problem being solved and testing steps/evidence
If you cannot provide a fix for the problem yourself, please file an issue and describe the fault with steps to reproduce. General issues which cannot be easily reproduced are likely to be ignored, sorry!