New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'm pretty sure that the certificate insurance covers a breach at the certificate authority level, not a breach of your website security. It's purely a marketing feature, good luck if you ever tried to claim it.
No no according to the butthurt around here it's like totally horrible show stopper fail sauce all over the place DOA Jason coming to kill you Freddy appearing in your dreams worse than going to the dentist.
Your worst nightmare is someone asking you to explain one of your 'clever' analogies when you don't actually know what they mean.
I will be looking forward to the public beta myself. Why pay $10/yr?
Actually think..... how many IPMI can use real verified SSLs?
who paid $10/y for SSL ? WoSign only $0/y.
your beloved letsencrypt want to keep in touch
Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.
everday renewal much better in my opinion :P
Is it possible to make use of lets encrypt without using their client?
I found the meaning of basement: http://www.urbandictionary.com/define.php?term=Basement
you don't have to use their client, you can write your own client as well see examples at https://community.letsencrypt.org/t/list-of-client-implementations/2103
I'm integrating Letsencrypt client's webroot authentication plugin into my Centmin Mod LEMP stack's Nginx HTTP/2 setup - latest progress so far https://community.centminmod.com/posts/20509/
Nice work! Thanks
I'm sure it would help a lot of system admins taking medicine for their heart problems.
If so why not adopt the DNS TTL system to these certificate expiration system? For best and quick updates take a TTL of 5 minutes . Atleast here it will be honored unlike with DNS where ISPs and et cetera don't have to honor TTL and run their own caching setup that is off the line and updates really late.
@bitcubate only sman can answer the basement thing.
https://github.com/diafygi/letsencrypt-nosudo sounded really cool but:
Still quite painful...
Excited aswell for the public launch, hopefully it won't get rescheduled again. To all people saying a 90day validity is stupid and horrible, I don't think so at all. As long as you automate your certificate deployments, something which you should do anyways (together with automating all other server stuff), it's not a big hassle.
Don't know how many people know about that, but Google is doing that for years. All their sites get their certificate renewed every 3 months and they don't have any issues at all. If they can do it, every LET guy with a small or a few homepages can do it aswell.
Would be interesting to know though if the private key gets renewed aswell or it if stays the same one. Anyone knows more about that?
I don't enjoy getting forced to do things.
Luckily there's still my yearly renewal WoSign and StartSSL, which I will happily keep on using, while telling everybody who's willing to listen, that "Let's encrypt" is a useless hype from a bunch of we-know-better arrogant pricks, and that it should be avoided at all costs.
Im pretty sure 3 month certs are more secure.
Cmiiw
Only problem with WoSign and StartSSL is that their sites are pretty backward. If anyone were to try and dig into the issuer of the certificate, they might easily get the wrong impression that something is amiss.
Let's encrypt has logos of Mozilla, Cisco and EFF on it's front page.
Well, I'm not sure dictating external policy should be part of their mission, but if they get automation working reliably, it's one more choice - that in itself is a good thing.
at least wosign/startssl don't shy to use their own SSL.
popcorn please!
You realize, of course, that Letsencrypt isn't out of beta yet?
I don't understand what's all that flame is about, really. Public key certificates (a.k.a. SSL certificates) do not guarantee the owner of the resource using it won't scam its users, or otherwise make them sorry.
It's all about green padlock icon, which is often associated with "trust" and "guarantee", although it contains none.
I used StartSSL and still use it. Fine, since major browsers do understand it. Let's encrypt's certificate brings exactly the same adorable green padlock sign (I use it on my private repository site), so what?
That's a matter of convenience. Their pre-Beta default client is horrible PITA. Its directions are convoluted and hidden within debug lines it prints. To generate certificate on unsupported platforms, such as RedHat and its derivatives, it requires several strange actions (like forcing Webs server to return 'Content-Type: text/plain' for their verification URLs), which is inappropriate on live site.
All in all, once generated, the certificate just works. Since green padlock calms down mundane people, terrified by security threats they can't understand anyway, let it be. If those folks make client less terrible and capable of re-generating certificate semi-automatically, so much the better.
So, I will use them, in addition to StartSSL. I won't use CACert or other DIY methods, which are not recognized by major browsers, since I can't fathom teaching ordinary visitor to install their root CA first.
Blocked by the GFW in 3....2....1....
Global Force Wrestling?
Few hours left..
@Master_Bo
I think he is referring to the Great Firewall. Actually I don't think lets encrypt will change much, there is a trend to use more and better encryption, but with the current implementation of the let's encrypt tool there won't be a sudden percentage jump.
Exactly. Seems like that's what they are looking for.
A "real" CA giving away free 1 to 3 year certs would have made mass adoption possible imo, not this geek-who-like-to-run-fucked-software-on-a-webserver thing...
the main use I have for this is to finally have a valid SSL for my OVPN-AS and IPMIs
Look into wosign
My guess is wosign is not "real" enough for him.
this so much
Do the OCSP servers still shit themselves regularly?