maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   General (https://talk.maemo.org/forumdisplay.php?f=7)
-   -   talk.maemo.org certificate expired! (https://talk.maemo.org/showthread.php?t=99658)

BentL 2017-08-01 09:24
talk.maemo.org certificate expired!
 
My browser says that the certificate for talk.maemo.org has expired today.

azkay 2017-08-01 11:06
Re: talk.maemo.org certificate expired!
 
Yeah happened to me too. Thought it was just firefox being stupid. Everything was fine, refreshed the page 10 minutes later and it was complaining.

pichlo 2017-08-01 11:09
Re: talk.maemo.org certificate expired!
 
Quote:
Originally Posted by azkay (Post 1531773)
Everything was fine, refreshed the page 10 minutes later and it was complaining.
That's because it expired at 09:08:12 GMT. Your 10 minutes must have spanned that point.

azkay 2017-08-01 11:46
Re: talk.maemo.org certificate expired!
 
Quote:
Originally Posted by pichlo (Post 1531774)
That's because it expired at 09:08:12 GMT. Your 10 minutes must have spanned that point.
I know that much, I read the error message :)
But stranger browser errors have happened (and computer time changes, etc)

Macros 2017-08-03 11:11
Re: talk.maemo.org certificate expired!
 
Maybe the certificate can be switched to a letsencrypt one?
They provide tools for automatic renewal, which work flawlessly for me, and its free of charge.

mosen 2017-08-03 12:24
Re: talk.maemo.org certificate expired!
 
We discussed briefly in last maemo meeting.
I am a big fan of letsencrypt also mostly for the auto-renewal scripts.

But it is highly likely that renewal of the startcom cert is much less work for tech-staff than to change the running system?

Although recent developments suggest to move away from Startcom as Google and Mozilla decided to distrust them(?):

https://en.wikipedia.org/wiki/StartCom
Quote:
In August 2016 it was reported that StartCom was sold to WoSign, a Chinese CA.[14][27][28] The original disclosure was taken down for legal reasons.[29] However, repostings of the original articles are still available.[27] The relationship is unclear, but it seems as if the StartCom technical infrastructure was being used by WoSign when they were caught issuing about a hundred[30] improperly validated SSL certificates, including a certificate for github.com.[14][31]

An investigation by Google and Mozilla found that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements. As a result, Google joined Mozilla and Apple and will distrust WoSign and StartCom certificates beginning in 2017. [32] On July 17, 2017, an announcement was made about the restructuring of the company. It was announced that Startcom is now 100% managed by Qihoo360, no Startcom employees are working on Wosign premises, audits have been made by external pen testers, and a new CMS system was developed.

nieldk 2017-08-03 13:04
Re: talk.maemo.org certificate expired!
 
Quote:
Originally Posted by mosen (Post 1531968)
We discussed briefly in last maemo meeting.
I am a big fan of letsencrypt also mostly for the auto-renewal scripts.

But it is highly likely that renewal of the startcom cert is much less work for tech-staff than to change the running system?

Although recent developments suggest to move away from Startcom as Google and Mozilla decided to distrust them(?):

https://en.wikipedia.org/wiki/StartCom
It’s trivial to get and install or even renew a letsencrypt very.
I did for my J1 web/mail/vpn server using the readily available python scripts .
Took me less than 15 min to have A+++ rating on my J1 .

If I can do it that fast, our tech guys could do it in less than a leap second.

Feathers McGraw 2017-08-03 13:08
Re: talk.maemo.org certificate expired!
 
What's the most important factor in the decision? Price? You can get commercial certs for about £5/yr quite easily:

https://www.ssls.com/ssl-certificate...do-positivessl

Depends how much info you need them to validate in the cert though

reinob 2017-08-09 12:23
Re: talk.maemo.org certificate expired!
 
Quote:
Originally Posted by Feathers McGraw (Post 1531976)
What's the most important factor in the decision?
I guess it's "never touch a running system". Only that the certificate expired (so it's not running anymore), and that there are reasons to move away from StartCom.

Maybe the new council can request moving to Letsencrypt. We have few (sub-)domains so it's no problem. Next year Letsencrypt will even offer wildcard certificates (*.maemo.org), which should make everything even easier to manage.

(I'm a happy user of Letsencrypt as well :)

juiceme 2017-08-09 14:02
Re: talk.maemo.org certificate expired!
 
I think we should get a commercial certificate. We have the funds if costs indeed are in the range of tens of euros per year and not kiloeuros as I previously thought.

The problem is what to use and how... I have only ever generated and used self-signed certs so I have no idea how to go at it... :D

So any and all help is appreciated!

vitaminj 2017-08-09 15:04
Re: talk.maemo.org certificate expired!
 
Why a commercial certificate? A cheap commercial one (or free StartCom) is no "better" than a let's encrypt one, unless we are concerned about the cert chain baked into old devices (N900/N9 I assume) not including let's encrypt.

But let's encrypt isn't dodgy, shoddy, confusing, complicated or anything. You run one script and it's all automated for you, including changing apache (or other server) config, that's the whole point of the thing.

Seriously, anyone who's ever "set up" let's encrypt would never look back to using StartCom or paying tens of $currency for a cheap non-EV cert. I remember those old days with horror, all the manual faffing that used to be required.

gerbick 2017-08-09 15:26
Re: talk.maemo.org certificate expired!
 
I hate to ask a potentially simple question; however the discussion as to what has to be done seems to lean towards Let's Encrypt. But my question is surrounding the when.

Each time I click the header navigation here, I get a warning. I hate that warning.

nieldk 2017-08-09 15:59
Re: talk.maemo.org certificate expired!
 
Quote:
Originally Posted by vitaminj (Post 1532332)
Why a commercial certificate? A cheap commercial one (or free StartCom) is no "better" than a let's encrypt one, unless we are concerned about the cert chain baked into old devices (N900/N9 I assume) not including let's encrypt.

But let's encrypt isn't dodgy, shoddy, confusing, complicated or anything. You run one script and it's all automated for you, including changing apache (or other server) config, that's the whole point of the thing.

Seriously, anyone who's ever "set up" let's encrypt would never look back to using StartCom or paying tens of $currency for a cheap non-EV cert. I remember those old days with horror, all the manual faffing that used to be required.
Whatever is chosen, it’s fine with me. Letsencrypt is free, and trusted.
Startcom on the other hand, is neither. So please don’t use that.

marmistrz 2017-08-09 18:17
Re: talk.maemo.org certificate expired!
 
I think you should get any certificate, even from Let's Encrypt, just so that you have more 90 days to debate.

Adding an exception every time I visit tmo is at least irritating.

BentL 2017-08-12 11:14
Re: talk.maemo.org certificate expired!
 
Nice! So the certificate yesterday got updated to a Let's Encrypt certificate for the next three months.

nieldk 2017-08-12 12:55
Re: talk.maemo.org certificate expired!
 
1 Attachment(s)
Marvelous !
Better than most :)

mosen 2017-08-12 22:36
Re: talk.maemo.org certificate expired!
 
Nice choice!

The 90 days xpiration is a good thing and should be done by all others too. It is hard to revoke a cert so it limits damage from key compromise and mis-issuance to have short lifespans.

I plead for RFC change to max 90 days :D

Also it would encourage other authorities to automate the renewal like letsencrypt does because manual renewal would become really expensive.


All times are GMT. The time now is 08:57.

vBulletin® Version 3.8.8