Best CA for SSL Certificates



  • I normally go through GoDaddy but is there a better option?


  • Service Provider



  • I have to say I used LetsEncrypt for my last SSL project.

    Holy cow it is awesome. And, of course, free!



  • Mine are through Let's Encrypt as well.


  • Service Provider

    I use Let's Encrypt for everything except Exchange. But that is only because the Windows ports of the stuff are a bit lacking. Because, Windows.



  • @JaredBusch said in Best CA for SSL Certificates:

    I use Let's Encrypt for everything except Exchange. But that is only because the Windows ports of the stuff are a bit lacking. Because, Windows.

    That was my next question. You're good!


  • Service Provider

    I read a thread on the subject this morning in fact.

    https://community.letsencrypt.org/t/ssl-cert-for-exchange-2013/1364

    The most recent poster int heat thread was saying that he used that process to get the cert but now has issues with the renew.

    There are multiple threads on their community about Windows clients.



  • The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.


  • Service Provider

    @Grey said in Best CA for SSL Certificates:

    The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.

    You just use a script and automate it so you never have to deal with it at all.



  • I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.


  • Service Provider

    @scottalanmiller said in Best CA for SSL Certificates:

    @Grey said in Best CA for SSL Certificates:

    The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.

    You just use a script and automate it so you never have to deal with it at all.

    Right. Once you have a script set to renew every day or two, you will never worry about it. By default certbot renew can be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.

    If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.


  • Service Provider

    @momurda said in Best CA for SSL Certificates:

    I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.

    Yeah, Windows just is not there yet. Someone will get a solid application wrote eventually.


  • Service Provider

    @JaredBusch said in Best CA for SSL Certificates:

    @scottalanmiller said in Best CA for SSL Certificates:

    @Grey said in Best CA for SSL Certificates:

    The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.

    You just use a script and automate it so you never have to deal with it at all.

    Right. Once you have a script set to renew every day or two, you will never worry about it. By default certbot renew can be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.

    If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.

    [[email protected] ~]# certbot renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    -------------------------------------------------------------------------------
    Processing /etc/letsencrypt/renewal/daerma.com.conf
    -------------------------------------------------------------------------------
    Cert not yet due for renewal
    
    -------------------------------------------------------------------------------
    Processing /etc/letsencrypt/renewal/jaredbusch.com.conf
    -------------------------------------------------------------------------------
    Cert is due for renewal, auto-renewing...
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Renewing an existing certificate
    Performing the following challenges:
    tls-sni-01 challenge for jaredbusch.com
    tls-sni-01 challenge for www.jaredbusch.com
    Cleaning up challenges
    Attempting to renew cert from /etc/letsencrypt/renewal/jaredbusch.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.
    
    The following certs are not due for renewal yet:
      /etc/letsencrypt/live/daerma.com/fullchain.pem (skipped)
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/jaredbusch.com/fullchain.pem (failure)
    1 renew failure(s), 0 parse failure(s)
    

    Note, that failed, because I need to stop nginx first. My system was setup with the standalone parameter because i do not want cerbot changing conf files for me. So my renew needs to stop nginx also.

    There are pre and post hooks you can add to the certbot command to handle that.

    certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
    


  • Current certs are from DNSimple. Will consider Let's Encrypt in the future.


  • Service Provider

    @EddieJennings said in Best CA for SSL Certificates:

    Current certs are from DNSimple. Will consider Let's Encrypt in the future.

    Very worth it. Pretty much everyone is switching now.



  • I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...



  • @EddieJennings said in Best CA for SSL Certificates:

    I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...

    What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!


  • Service Provider

    @travisdh1 said in Best CA for SSL Certificates:

    @EddieJennings said in Best CA for SSL Certificates:

    I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...

    What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!

    Because the only way to have a single never changing cert is a wildcard.

    The people that need a wildcard are usually in an organization with active development and managing LE would be a nightmare. Or a massive org with tons of stuff where a single wildcard can be put on all servers instead of every server having a variation of some few certs from LE.

    There are very, very good reasons to use a wildcard cert for people that do more than you little dozen servers.

    People are used to being able to get a wildcard from their CA. Free or not. LE not even having that option is the oddity here. Now LE is this way for a very good reason, but that does not negate the fact that every prior CA operated differently than LE.



  • We use Godaddy and Let's Encrypt.



  • My first question here would be what type of certs? For DV certs, then I'd say go with LE like everyone says. But if you need EV or Wildcard then you'll need to buy some. I suggest DigiCert.

    Stay the hell away from Register.com for certs. Their customer support is horrid and they just re-sell certs and do not allow their customers to speak to the actual CA for support, so any issues take forever to get solved.


  • Service Provider

    @jrc said in Best CA for SSL Certificates:

    Stay the hell away from Register.com ...

    period.



  • @scottalanmiller

    but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

    The issue is that this server does not have domain, people access it using it is private IP:
    192.168.1.139

    How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

    And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?



  • @msff-amman-Itofficer You're probably seeing apps that do not use the Windows certificate management, Chrome would be one example. Those apps will need the certificate added as well.



  • @msff-amman-Itofficer said in Best CA for SSL Certificates:

    @scottalanmiller

    but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

    The issue is that this server does not have domain, people access it using it is private IP:
    192.168.1.139

    How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

    And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?

    Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.



  • @coliver said in Best CA for SSL Certificates:

    @msff-amman-Itofficer said in Best CA for SSL Certificates:

    @scottalanmiller

    but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.

    The issue is that this server does not have domain, people access it using it is private IP:
    192.168.1.139

    How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.

    And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?

    Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.

    Ah, I missed that part. @coliver is correct.



  • I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?


  • Service Provider

    @WLS-ITGuy said in Best CA for SSL Certificates:

    I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

    If you are redirecting, you have no need to disable http. You can of course. But then you also do not need the redirect.


  • Service Provider

    Jared is correct, redirection is only a thing if HTTP is up and running.



  • @WLS-ITGuy said in Best CA for SSL Certificates:

    I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

    That is actually a good question.

    If you are redirecting, does http need to be open on the firewall, since the original traffic is coming in on it?


  • Service Provider

    @BRRABill said in Best CA for SSL Certificates:

    @WLS-ITGuy said in Best CA for SSL Certificates:

    I have set two of my sites to use Let's Encrypt now. I have it set to redirect http to https. I would assume I disable http on the site so that it doesn't allow that traffic, yes?

    That is actually a good question.

    If you are redirecting, does http need to be open on the firewall, since the original traffic is coming in on it?

    Yes, if HTTP isn't there and working, how can it do the redirect?


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.