@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r 3650 :)

One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.

Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

@francesco-provino said in What Exactly Is a VPN, Is HTTPS a VPN SAMIT Video:

@scottalanmiller so… RDP with TLS enabled is also comparable to a VPN?

Yes, exactly the same. TLS would be a VPN channel.

I always forget about tags....

@JaredBusch said in OpenSSL CSR with Subject Alternative Name:

@EddieJennings said in OpenSSL CSR with Subject Alternative Name:

@JaredBusch Correct. The "ye olde way" is how I've typically made a CSR and private key. The link I included talks about making a configuration file, which allows you to include SAN in your CSR.

Ah, did not read the link. Yes, using a config file is the only method to get any SAN on a cert with OpenSSL.

And after re-reading my post, I realized how terrible it was :(. I was hoping to find a one liner kind of thing, but alas. That particular article made it clear how to do it.

For anyone not familiar, here is a screenshot of my free version.

here is a paid version at a client with ~40 extensions.
(intentionally not all are shown such as the Snom PA-1 paging adapter, because I know someone will count....)

@NashBrydges Oh this is awesome! Gonna be giving that a go on Monday or Tuesday.

@StrongBad said in DNS record will help prevent unauthorized SSL certificates:

Not a bad idea, I guess. There is some security concern there. I would wonder how often this is really an issue. Is this common? Or just proactive?

I'm thinking a bit of both.

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

@scottalanmiller said in Let's Encrypt stats:

@Jason said in Let's Encrypt stats:

I'm guessing a lot of kids/teens and college age are using let's encrpyt hence the .ninja

I'm confused, aren't all those domains only used by ninjas?

Go Ninja, Go Ninja, Go!

https://www.data-vocabulary.org/ - Works.

https://schema.org/ - Works

Yeah, that's a really awesome feature.

@scottalanmiller said in Let's Encrypt is now used around 4.86%:

Yeah, probably a lot less than a year before LE rules the roost. Maybe four more months? In a year it will have significant dominance, I am guessing.

More likely about this time next year because they did not come out of beta until March

@marcinozga Thanks, but already tried net.inet.ip.fastforwarding in all combinations with TCP and UDP.

@scottalanmiller said:

@Ambarishrh said:

Wanted to setup Let's Encrypt for my blog which is now hosted on ASO but as per their tech agent, this is not possible! :(

Is that because SSL is not offered at all?

As per them, its only on dedicated servers and not shared. But using https://gethttpsforfree.com/ i was able to generate certs and install :)

@tonyshowoff said:

@scottalanmiller said:

@tonyshowoff said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010.

Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs.

The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning.

It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market.

Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required.

Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too.

Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins.

Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse.

Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments.

(Working there as a janitor would be okay, just not in healthcare portions of the business.)

That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

SSLv2 shouldn't be running in the first place anymore. Ref: SSL Labs Documentation

@JaredBusch said:

Here you go @scottalanmiller. Add a sub domain to handle the Websockets.

https://community.nodebb.org/topic/7930/using-cloudflare-with-nodebb

Thanks. That's been mentioned a few times over there but a how-to has been missing and when I'd asked about it the topics all went silent. Will look into this.

@travisdh1 said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

Any updates to this?

Use Certbot never this method. keep your life simpler.

Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

When my system came up for renew after certbot was out, I installed certbot and renewed that way. everything is in the same pace. nothing had to be changed in the config files.

@Dashrender said:

@MattSpeller Hmmm.. wonder if that's true?
trax.x10.mx/apps.html

This tool will scan your local certificate repository and tell if you there is anything odd or unexpected in the repository.

Also, do the Latitudes come with this Dell support software like the consumer models?

I think it's available through "Dell digital software delivery" as an option. We just got in 3 new 6440s so I'll check.

Basically, I'm asking, why would Dell get a pass assuming their business line wasn't effected, if Leveno doesn't get one for the same reason?

FWIW I would begin to look at HP (and have, but not seriously), except for the fact that we're tied to Dell for the next 3 years no matter what.

@Dashrender said:

@JaredBusch said:

@Dashrender said:

Does Let's Encrypt give SAN certs? I was under the impression that it's for single one off type situations where people don't have the cash to purchase their own cert, most likely being used by someone self hosting (or single site/server hosting).

If it is free, there is no reason not to get 4 or 5 certs instead of a SAN for most things.

Stupid question time (cause I don't know) can you install multiple certs on the same server?

I don't know about apache, but with NGINX each virtual host can have it's own.

SSL and TLS protect people from spying on an existing communications channel, but does nothing to protect the end points. It's just a service that has to respond to any incoming request.

We get from rapidssl https://www.rapidssl.com/ (single domain- $49, wild card $199) or network solutions

This is the HTTPS plugin.

@JaredBusch said:

@Dashrender said:

Can't you still install CPanel yourself?

Why? What is the benefit / point?

Ease of use and documentation galore