@dafyre said in Fedora 29 Apache HTTPD Keeps Adding ssl.conf: Have you tried creating a blank ssl.conf file and then chmod +i ssl.conf ? I've not, but that's such a hockie way of doing it, I was hoping not to.

@dustinb3403 said in Do you setup SSL for Intranet websites only: Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites? You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do. You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in: allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; It will not proxy anything unless it comes from an internal IP.

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt: @scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE. Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy? One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO. Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process. It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one. Got it thanks. Looks like a bit of a learning curve then. It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."

https://xen-orchestra.com/docs/reverse_proxy.html Add this link to the readme?

@psx_defector said in IIS Security setup: Best practice isn't up to date. Set it to PCI 1.2, that disables TLS1.0, all the AES stuff, etc. etc. You can also disable them manually in the first screen. Great, thanks.

I had some confusion because of the age of the old CSR. It doesn't line up with the correct dates. I'll edit my original post when I know more.

I had the same problem: Microsoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format. Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device. Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command: certutil -encode yourbinaryinputfile yourasciioutputfile Example: certutil -encode der.exchange.example.com.req pem.exchange.example.com.req You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.

@travisdh1 Sometimes you never know!

@tim_g Do you know what tools and scripts that is available when installing hyperv-tools?

@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative): @emad-r 3650 One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken. Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

@scottalanmiller said in What Exactly Is a VPN, Is HTTPS a VPN SAMIT Video: A lot of them get posted on SW first as a response post because someone will do something that warrants a video so I make it and post as a response, but then dole them out on an even pace over here with a spot to discuss them. How do you know you're an idiot? SAM replies to you with a video

@zachary715 said in Certbot Apache plugin broken in Fedora 26: @scottalanmiller said in Certbot Apache plugin broken in Fedora 26: I ran into this issue, forgot about this thread, went through LetsEncrypt's threads and their solution for this problem led me... here! Very nice. Just did the exact same thing. Let'sEncrypt forum had the link which led me here right about the time @JaredBusch was responding in my other thread. It has been posted on here more than one time. I should probably find one of those posts and make @scottalanmiller tag it appropriately. Edit: Or too slow..

@JaredBusch said in OpenSSL CSR with Subject Alternative Name: @EddieJennings said in OpenSSL CSR with Subject Alternative Name: @JaredBusch Correct. The "ye olde way" is how I've typically made a CSR and private key. The link I included talks about making a configuration file, which allows you to include SAN in your CSR. Ah, did not read the link. Yes, using a config file is the only method to get any SAN on a cert with OpenSSL. And after re-reading my post, I realized how terrible it was :(. I was hoping to find a one liner kind of thing, but alas. That particular article made it clear how to do it.

For anyone not familiar, here is a screenshot of my free version. here is a paid version at a client with ~40 extensions. (intentionally not all are shown such as the Snom PA-1 paging adapter, because I know someone will count....)

@NashBrydges Oh this is awesome! Gonna be giving that a go on Monday or Tuesday.

@StrongBad said in DNS record will help prevent unauthorized SSL certificates: Not a bad idea, I guess. There is some security concern there. I would wonder how often this is really an issue. Is this common? Or just proactive? I'm thinking a bit of both.

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

@scottalanmiller said in Let's Encrypt stats: @Jason said in Let's Encrypt stats: I'm guessing a lot of kids/teens and college age are using let's encrpyt hence the .ninja I'm confused, aren't all those domains only used by ninjas? Go Ninja, Go Ninja, Go!

https://www.data-vocabulary.org/ - Works. https://schema.org/ - Works

Yeah, that's a really awesome feature.

@scottalanmiller said in Let's Encrypt is now used around 4.86%: Yeah, probably a lot less than a year before LE rules the roost. Maybe four more months? In a year it will have significant dominance, I am guessing. More likely about this time next year because they did not come out of beta until March

@marcinozga Thanks, but already tried net.inet.ip.fastforwarding in all combinations with TCP and UDP.

@scottalanmiller said: @Ambarishrh said: Wanted to setup Let's Encrypt for my blog which is now hosted on ASO but as per their tech agent, this is not possible! Is that because SSL is not offered at all? As per them, its only on dedicated servers and not shared. But using https://gethttpsforfree.com/ i was able to generate certs and install

@tonyshowoff said: @scottalanmiller said: @tonyshowoff said: @Dashrender said: @scottalanmiller said: @Dashrender said: Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010. Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs. The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning. It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market. Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required. Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too. Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins. Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse. Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments. (Working there as a janitor would be okay, just not in healthcare portions of the business.) That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

SSLv2 shouldn't be running in the first place anymore. Ref: SSL Labs Documentation

@JaredBusch said: Here you go @scottalanmiller. Add a sub domain to handle the Websockets. https://community.nodebb.org/topic/7930/using-cloudflare-with-nodebb Thanks. That's been mentioned a few times over there but a how-to has been missing and when I'd asked about it the topics all went silent. Will look into this.