Best CA for SSL Certificates
-
@JaredBusch said in Best CA for SSL Certificates:
I use Let's Encrypt for everything except Exchange. But that is only because the Windows ports of the stuff are a bit lacking. Because, Windows.
That was my next question. You're good!
-
I read a thread on the subject this morning in fact.
https://community.letsencrypt.org/t/ssl-cert-for-exchange-2013/1364
The most recent poster int heat thread was saying that he used that process to get the cert but now has issues with the renew.
There are multiple threads on their community about Windows clients.
-
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
-
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
-
I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.
-
@scottalanmiller said in Best CA for SSL Certificates:
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
Right. Once you have a script set to renew every day or two, you will never worry about it. By default
certbot renewcan be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.
-
@momurda said in Best CA for SSL Certificates:
I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.
Yeah, Windows just is not there yet. Someone will get a solid application wrote eventually.
-
@JaredBusch said in Best CA for SSL Certificates:
@scottalanmiller said in Best CA for SSL Certificates:
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
Right. Once you have a script set to renew every day or two, you will never worry about it. By default
certbot renewcan be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.
[root@nginxproxy ~]# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/daerma.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/jaredbusch.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for jaredbusch.com tls-sni-01 challenge for www.jaredbusch.com Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/jaredbusch.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping. The following certs are not due for renewal yet: /etc/letsencrypt/live/daerma.com/fullchain.pem (skipped) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jaredbusch.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)Note, that failed, because I need to stop nginx first. My system was setup with the standalone parameter because i do not want cerbot changing conf files for me. So my renew needs to stop nginx also.
There are pre and post hooks you can add to the certbot command to handle that.
certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -
Current certs are from DNSimple. Will consider Let's Encrypt in the future.
-
@EddieJennings said in Best CA for SSL Certificates:
Current certs are from DNSimple. Will consider Let's Encrypt in the future.
Very worth it. Pretty much everyone is switching now.
-
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
-
@EddieJennings said in Best CA for SSL Certificates:
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!
-
@travisdh1 said in Best CA for SSL Certificates:
@EddieJennings said in Best CA for SSL Certificates:
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!
Because the only way to have a single never changing cert is a wildcard.
The people that need a wildcard are usually in an organization with active development and managing LE would be a nightmare. Or a massive org with tons of stuff where a single wildcard can be put on all servers instead of every server having a variation of some few certs from LE.
There are very, very good reasons to use a wildcard cert for people that do more than you little dozen servers.
People are used to being able to get a wildcard from their CA. Free or not. LE not even having that option is the oddity here. Now LE is this way for a very good reason, but that does not negate the fact that every prior CA operated differently than LE.
-
We use Godaddy and Let's Encrypt.
-
My first question here would be what type of certs? For DV certs, then I'd say go with LE like everyone says. But if you need EV or Wildcard then you'll need to buy some. I suggest DigiCert.
Stay the hell away from Register.com for certs. Their customer support is horrid and they just re-sell certs and do not allow their customers to speak to the actual CA for support, so any issues take forever to get solved.
-
-
but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.
The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.
And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?
-
@msff-amman-Itofficer You're probably seeing apps that do not use the Windows certificate management, Chrome would be one example. Those apps will need the certificate added as well.
-
@msff-amman-Itofficer said in Best CA for SSL Certificates:
but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.
The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.
And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?
Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.
-
@coliver said in Best CA for SSL Certificates:
@msff-amman-Itofficer said in Best CA for SSL Certificates:
but how for the life of me I am unable to get valid SSL certficate on webserver running centos 6.8 with apache.
The issue is that this server does not have domain, people access it using it is private IP:
192.168.1.139How can I create an SSL for IP internal server, some users fail to click Advanced then proceed to this website in Google Chrome.
And this internal server will remain internal and their is no need for it to be on WAN or the internet currently or the near future, what are my options ? even adding the certificate on users machines in Windows Trusted root certificate does not work for some reason, and is there any other option besides adding the certificates manually, can I use Wild Card SSL cert for this scenario ?
Why are they accessing it via IP address? Seems like it would be much more beneficial to use DNS, it will be easier for users and you won't run into this certificate issue.
Ah, I missed that part. @coliver is correct.
