Thanks @JaredBusch this will be a huge help! I'll give this a try later this evening when I'm back.

I set it as marked as answered. Should be clear now.

@NashBrydges Oh this is awesome! Gonna be giving that a go on Monday or Tuesday.

@JaredBusch said in Looking for how-to on setting up a proxy:

server {
client_max_body_size 40M;
listen 80;
server_name support.bundystl.com;
rewrite ^ https://$server_name$request_uri? permanent;
}

Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing...

server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; rewrite ^ https://$server_name$request_uri? permanent; }

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

There is a blacklist that all CA's have on high dollar domain names to prevent major fraud. LE cannot issue for something.microsoft.com or something.bestbuy.com for example.

But the sub domain names used in these PayPal examples are all outside of that. They are all on valid (ish) TLD.

@travisdh1 said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild :(

@scottalanmiller said in Let's Encrypt stats:

@Jason said in Let's Encrypt stats:

I'm guessing a lot of kids/teens and college age are using let's encrpyt hence the .ninja

I'm confused, aren't all those domains only used by ninjas?

Go Ninja, Go Ninja, Go!

@Ambarishrh
First of all, I welcome you to Cloudways.com.
I'm Mustaasam, the WordPress Community Manager at Cloudways.

I've tested your site on Tools Pingdom, the first hit was about 2.6 seconds and in 5th attempt it was loaded in just 1.07s.

Here is the URL:
https://tools.pingdom.com/#!/bNYY17/https://www.ambarishrh.com/

Yeah, that's a really awesome feature.

@scottalanmiller said in Let's Encrypt is now used around 4.86%:

Yeah, probably a lot less than a year before LE rules the roost. Maybe four more months? In a year it will have significant dominance, I am guessing.

More likely about this time next year because they did not come out of beta until March

Found it, nevermind.....

@scottalanmiller said:

@Ambarishrh said:

Wanted to setup Let's Encrypt for my blog which is now hosted on ASO but as per their tech agent, this is not possible! :(

Is that because SSL is not offered at all?

As per them, its only on dedicated servers and not shared. But using https://gethttpsforfree.com/ i was able to generate certs and install :)

@tonyshowoff said:

@scottalanmiller said:

@tonyshowoff said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010.

Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs.

The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning.

It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market.

Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required.

Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too.

Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins.

Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse.

Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments.

(Working there as a janitor would be okay, just not in healthcare portions of the business.)

That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

@jospoortvliet said:

using letsencrypt right now on my home server, btw. Have a cron job set up to update the cert every month or so, with an easy tool: ACME. Simpler than the 'standard' tool from Lets Encrypt, if you ask me. Go check it out at https://github.com/hlandau/acme ;-)

I had a good laugh when I spotted the ".travis Try to speed up travis" Apparently I'm slowing things down, tho I do agree that speeding me up would be a good thing :-P

@travisdh1 said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

Any updates to this?

Use Certbot never this method. keep your life simpler.

Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

When my system came up for renew after certbot was out, I installed certbot and renewed that way. everything is in the same pace. nothing had to be changed in the config files.

@MattSpeller

Thanks for the writeup for us noobs.

I understand the additional points such as automated validation and the open records, but you can get free SSL certificates through StartSSL. The companies who don't want to pay for an SSL certificate (or do the research to find a free one) are most likely using shared hosting or some kind of managed hosting that costs extra to enable the SSL certificate anyway. So if they aren't going to pay the money for the cert, I can't see them paying extra per month to enable the free cert on their hosting.