RogerBW's Blog

Let's Encrypt at firedrake.org 05 December 2015

Let's Encrypt has moved to public beta, and I've taken advantage of it. Why? Because a non-zero proportion of the people intercepting your web traffic are bad guys. The less plain-text traffic is out there, the less they learn.

Because I'm an awkward cuss with slightly unusual requirements, I've used the lightweight acme-tiny client. This requires some fairly standard wrapping round it:

  • Generate a key for each server instance (i.e. each distinct web site);
  • Generate a certificate signing request, containing all the site's names as SANs;
  • call acme-tiny itself, which deals with the challenge-response part of ACME to get the certificate;
  • put the certificate in the right place and restart the web server.

Since I'd got that far, I added a further test to see whether the certificate exists and, if so, whether it's close enough to expiry to be worth renewing. (Let's Encrypt favours 90-day certificates and automatic renewal when about 30 days remain, rather than the long-duration certificates and manual renewal favoured by the paid approach.) This is all just barely more than trivial, so I might release the code at some point, but it's all very much set up for my particular configuration of virtual hosts and probably not much use to anyone else; you might as well just use one of the more heavyweight standard clients or write your own wrapper.

While I was at it I set up various guards against protocol downgrade attacks and such like; the Qualys SSL Labs test is very handy for this.

The upshot of this is that this blog, and nearly all the sites I host, are now accessible via https, and I very much hope will remain so. (Not quite all, as I hit a rate limit on subdomains for firedrake.org.)


  1. Posted by Owen Smith at 03:59pm on 06 December 2015

    I've changed to https for this blog. I was surprised my iPad didn't tell me it had an unknown certificate, how did you manage to get your certificatess signed by a known signing authority?

  2. Posted by RogerBW at 04:23pm on 06 December 2015

    See the link. They are issuing free 90-day certs to anyone who can prove ownership of a domain (with automated renewal encouraged), with the intention of getting https more widely used.

    I didn't bother with my own CA because getting a new CA key into random web browsers is remarkably hard work these days. And I certainly don't want to encourage people to click through an unknown certificate warning!

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action aeronautics aikakirja anecdote animation anime army astronomy audio tech base commerce battletech beer boardgaming bookmonth chain of command children chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup cycling dead of winter doctor who documentary drama driving drone ecchi economics espionage essen 2015 essen 2016 essen 2017 essen 2018 existential risk falklands war fandom fantasy film firefly first world war flash point food garmin drive gazebo geodata gin gurps gurps 101 harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo-nebula reread in brief avoid instrumented life kickstarter learn to play leaving earth linux mecha museum mystery naval non-fiction one for the brow opera perl photography podcast politics powers prediction privacy project woolsack pyracantha quantum rail ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance thirsty meeples thriller tin soldier torg toys trailers travel vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1