@black3dynamite said in Where can I learn more about SSL certs?:

This is 5-part article about setting up your CA is pretty good.
https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

Blog posts on Altaro.
https://www.altaro.com/hyper-v/public-key-infrastructure/
https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/
https://www.altaro.com/hyper-v/windows-ssl-certificate-templates/
https://www.altaro.com/hyper-v/request-ssl-windows-certificate-server/
https://www.altaro.com/hyper-v/view-revoke-manually-approve-certificates/

Thanks! I've started to read the info.

@scottalanmiller said in Let's Encrypt Windows Server:

@WLS-ITGuy said in Let's Encrypt Windows Server:

@JaredBusch you don't have any issues with agents checking in or pushing out updates with the RP?

What would be the concern?

Curious more than anything.

EMC shows it is assigned to all services and the schedule task is there.

Calling this a win.

I just got a 2 year cert from NameCheap the other week. No issues at all anywhere, didn't even notice that cert was expired.

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.

Got it thanks. Looks like a bit of a learning curve then. :)

It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way :) And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."

@dbeato @JaredBusch thanks for the info. If I get time might give it a go over the weekend. Otherwise job for Monday morning

I had the same problem:

Microsoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format.

Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device.

Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command:

certutil -encode yourbinaryinputfile yourasciioutputfile

Example:
certutil -encode der.exchange.example.com.req pem.exchange.example.com.req
You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.

@zachary715 said in Certbot Apache plugin broken in Fedora 26:

@scottalanmiller said in Certbot Apache plugin broken in Fedora 26:

I ran into this issue, forgot about this thread, went through LetsEncrypt's threads and their solution for this problem led me... here! Very nice.

Just did the exact same thing. Let'sEncrypt forum had the link which led me here right about the time @JaredBusch was responding in my other thread.

It has been posted on here more than one time. I should probably find one of those posts and make @scottalanmiller tag it appropriately.

Edit: Or too slow..

@NashBrydges Oh this is awesome! Gonna be giving that a go on Monday or Tuesday.

There is a blacklist that all CA's have on high dollar domain names to prevent major fraud. LE cannot issue for something.microsoft.com or something.bestbuy.com for example.

But the sub domain names used in these PayPal examples are all outside of that. They are all on valid (ish) TLD.

Yeah, that's a really awesome feature.

@scottalanmiller said in Let's Encrypt is now used around 4.86%:

Yeah, probably a lot less than a year before LE rules the roost. Maybe four more months? In a year it will have significant dominance, I am guessing.

More likely about this time next year because they did not come out of beta until March

@JaredBusch said:

Here you go @scottalanmiller. Add a sub domain to handle the Websockets.

https://community.nodebb.org/topic/7930/using-cloudflare-with-nodebb

Thanks. That's been mentioned a few times over there but a how-to has been missing and when I'd asked about it the topics all went silent. Will look into this.

@travisdh1 said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

@aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

Any updates to this?

Use Certbot never this method. keep your life simpler.

Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

When my system came up for renew after certbot was out, I installed certbot and renewed that way. everything is in the same pace. nothing had to be changed in the config files.

@MattSpeller

Thanks for the writeup for us noobs.

@Dashrender said:

@JaredBusch said:

@Dashrender said:

Does Let's Encrypt give SAN certs? I was under the impression that it's for single one off type situations where people don't have the cash to purchase their own cert, most likely being used by someone self hosting (or single site/server hosting).

If it is free, there is no reason not to get 4 or 5 certs instead of a SAN for most things.

Stupid question time (cause I don't know) can you install multiple certs on the same server?

I don't know about apache, but with NGINX each virtual host can have it's own.

We get from rapidssl https://www.rapidssl.com/ (single domain- $49, wild card $199) or network solutions