RogerBW's Blog

Let's Encrypt at firedrake.org 05 December 2015

Let's Encrypt has moved to public beta, and I've taken advantage of it. Why? Because a non-zero proportion of the people intercepting your web traffic are bad guys. The less plain-text traffic is out there, the less they learn.

Because I'm an awkward cuss with slightly unusual requirements, I've used the lightweight acme-tiny client. This requires some fairly standard wrapping round it:

  • Generate a key for each server instance (i.e. each distinct web site);
  • Generate a certificate signing request, containing all the site's names as SANs;
  • call acme-tiny itself, which deals with the challenge-response part of ACME to get the certificate;
  • put the certificate in the right place and restart the web server.

Since I'd got that far, I added a further test to see whether the certificate exists and, if so, whether it's close enough to expiry to be worth renewing. (Let's Encrypt favours 90-day certificates and automatic renewal when about 30 days remain, rather than the long-duration certificates and manual renewal favoured by the paid approach.) This is all just barely more than trivial, so I might release the code at some point, but it's all very much set up for my particular configuration of virtual hosts and probably not much use to anyone else; you might as well just use one of the more heavyweight standard clients or write your own wrapper.

While I was at it I set up various guards against protocol downgrade attacks and such like; the Qualys SSL Labs test is very handy for this.

The upshot of this is that this blog, and nearly all the sites I host, are now accessible via https, and I very much hope will remain so. (Not quite all, as I hit a rate limit on subdomains for firedrake.org.)


  1. Posted by Owen Smith at 03:59pm on 06 December 2015

    I've changed to https for this blog. I was surprised my iPad didn't tell me it had an unknown certificate, how did you manage to get your certificatess signed by a known signing authority?

  2. Posted by RogerBW at 04:23pm on 06 December 2015

    See the link. They are issuing free 90-day certs to anyone who can prove ownership of a domain (with automated renewal encouraged), with the intention of getting https more widely used.

    I didn't bother with my own CA because getting a new CA key into random web browsers is remarkably hard work these days. And I certainly don't want to encourage people to click through an unknown certificate warning!

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action advent of code aeronautics aikakirja anecdote animation anime army astronomy audio audio tech aviation base commerce battletech beer boardgaming book of the week bookmonth chain of command children chris chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup covid-19 crime cthulhu eternal cycling dead of winter doctor who documentary drama driving drone ecchi economics en garde espionage essen 2015 essen 2016 essen 2017 essen 2018 essen 2019 essen 2022 essen 2023 existential risk falklands war fandom fanfic fantasy feminism film firefly first world war flash point flight simulation food garmin drive gazebo genesys geocaching geodata gin gkp gurps gurps 101 gus harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo 2020 hugo 2022 hugo-nebula reread in brief avoid instrumented life javascript julian simpson julie enfield kickstarter kotlin learn to play leaving earth linux liquor lovecraftiana lua mecha men with beards mpd museum music mystery naval noir non-fiction one for the brow opera parody paul temple perl perl weekly challenge photography podcast politics postscript powers prediction privacy project woolsack pyracantha python quantum rail raku ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs ruby rust scala science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance the weekly challenge thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1