Let's Encrypt hits 3 million certificates, and almost 2 million unexpired certificates

Raymii

See here for the stats

I really like Lets Encrypt! Talk a bit about how you use it below.

I've changed all my domains to have HTTPS that didn't have it before. Also, all my certs except multidomains and wildcards are now issues by Lets Encrypt

Nekki

Well that's a shitty little poll, innit.

Raymii

How can you not like Let's Encrypt? :P

CFarence

I have wild cards for all my domains from startssl that don't expire until late 2017. I may switch to let's encrypt when it comes time to renew though, hoping the automation gets a little better in that time.

Falzo

yes it's very useful indeed.

I tend to use it in conjunction with vestacp and https://github.com/interbrite/letsencrypt-vesta ... easy to setup and automatically renewed via cron.

codehusker

acmetool has become my favorite LE client. Single binary, simple setup, easy renewals, and attempts to be as idempotent as possible. The README has a good comparison between it, the official client, and a couple other alternatives.

JustAMacUser

@Raymii said:
How can you not like Let's Encrypt? :P

I couldn't get it to work on one of my LEBs (a 128 MB OVZ)... Kept running out of RAM during initial setup/compiling/whatever.

Safehousecloud

Let's Encrypt is awesome and we can only say thank you to the team and all the companies who support them.

codehusker

@JustAMacUser said:
I couldn't get it to work on one of my LEBs (a 128 MB OVZ)... Kept running out of RAM during initial setup/compiling/whatever.

Try using the client I linked above. It's a mostly static Go binary, and it uses much less memory than the official Python client.

JustAMacUser

@codehusker

Thanks. But I'd rather stick with the official one if I'm going to go this route. In the mean time I'm going to continue with StartSSL for now.

sayem314

@JustAMacUser AFAIK, you can't install SSL on NAT VPS.

Clouvider

@sayem314 said:
@JustAMacUser AFAIK, you can't install SSL on NAT VPS.

Why?

sayem314

@Clouvider said:

@sayem314 said:
@JustAMacUser AFAIK, you can't install SSL on NAT VPS.

Why?

Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

LiteServer

I see a positive future for LE. It's a great alternative for a simple/personal website, but in my opinion not a replacement for commercial websites at this moment. We'll see what LE does in the future :-)
We're offering LE certifications for shared hosting customers, seems to work good! Auto renewal works great when setup properly.

Clouvider

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

sayem314

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Clouvider

you can have pure HTTP on any port as well.

Not that it will be easy to visit your website, what I want to say, NAT or no NAT, it has zero correlation.

sayem314

@Clouvider said:
you can have pure HTTP on any port as well.

Not that it will be easy to visit your website, what I want to say, NAT or no NAT, it has zero correlation.

Hmm, never tried both on same port. My bad!

theroyalstudent

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

sayem314

@theroyalstudent said:
Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

v6 is rare. None of my internet provider have v6 here.

noaman

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

theroyalstudent

@noaman said:

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

Yes it works! But I prefer not using CF sometimes for cases where the server is far overseas, my ISP has usually better routes to the backend haha.

One example for me would be OVH Gravelines, I'm able to do 2+mb/s download but using CF would mean about 500kb/s, from my house in Singapore.

Otherwise, CF works great for local servers that don't peer directly with my ISP (it's costs a bomb to do so anyway), at non-peak hours at least.

JustAMacUser

@sayem314 said:
@JustAMacUser AFAIK, you can't install SSL on NAT VPS.

Yes, you can. Though maybe not using LE and their HTTP check.

Notwithstanding, never said I was using NAT. I said I was using a 128 MB OpenVZ machine.

sayem314

@JustAMacUser said:
Notwithstanding, never said I was using NAT. I said I was using a 128 MB OpenVZ machine.

My mistake, sorry. I thought 128 OVZ might be NAT

noaman

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

Yes it works! But I prefer not using CF sometimes for cases where the server is far overseas, my ISP has usually better routes to the backend haha.

One example for me would be OVH Gravelines, I'm able to do 2+mb/s download but using CF would mean about 500kb/s, from my house in Singapore.

Otherwise, CF works great for local servers that don't peer directly with my ISP (it's costs a bomb to do so anyway), at non-peak hours at least.

Well ....every time I visit cloudflare blog...they are usually opening a new data center ....May be they will setup one near you....

BTW:

The whole point of cloudflare is caching and speeding up data delivery for websites...If you are just downloading files...it will send the request back to the original server...so I guess no use there ...

theroyalstudent

@noaman said:

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

Yes it works! But I prefer not using CF sometimes for cases where the server is far overseas, my ISP has usually better routes to the backend haha.

One example for me would be OVH Gravelines, I'm able to do 2+mb/s download but using CF would mean about 500kb/s, from my house in Singapore.

Otherwise, CF works great for local servers that don't peer directly with my ISP (it's costs a bomb to do so anyway), at non-peak hours at least.

Well ....every time I visit cloudflare blog...they are usually opening a new data center ....May be they will setup one near you....

BTW:

The whole point of cloudflare is caching and speeding up data delivery for websites...If you are just downloading files...it will send the request back to the original server...so I guess no use there ...

Yeah, it just doesn't work well for my usage of downloading files from my Kimsufi box. They got their DC in my country (Singapore) in like 2011, it's just their routing back to the backend that sucks probably.

It does a decent job in caching if I downloaded the file before though.

noaman

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

Yes it works! But I prefer not using CF sometimes for cases where the server is far overseas, my ISP has usually better routes to the backend haha.

One example for me would be OVH Gravelines, I'm able to do 2+mb/s download but using CF would mean about 500kb/s, from my house in Singapore.

Otherwise, CF works great for local servers that don't peer directly with my ISP (it's costs a bomb to do so anyway), at non-peak hours at least.

Well ....every time I visit cloudflare blog...they are usually opening a new data center ....May be they will setup one near you....

BTW:

The whole point of cloudflare is caching and speeding up data delivery for websites...If you are just downloading files...it will send the request back to the original server...so I guess no use there ...

Yeah, it just doesn't work well for my usage of downloading files from my Kimsufi box. They got their DC in my country (Singapore) in like 2011, it's just their routing back to the backend that sucks probably.

It does a decent job in caching if I downloaded the file before though.

Do you have to completely download the file to be completely cached?
If not then there could be away ☺

theroyalstudent

@noaman said:

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@noaman said:

@theroyalstudent said:

@sayem314 said:

@Clouvider said:

sayem314 said: Provider must support reverse proxy for 443. Usually (AFAIK) no NAT provider do that!

Would be same for port 80.

You can have SSL on any port, doesn't need to be 443.

yup, but it will become ssl only site. no http redirect even.

Listen on v6 only, AAAA records only, but only good if you have v6 at home haha

Shouldnt this approach work?

Cloudflare full ssl and ipv6 on the back end..AAAA record..... Never tried though

Yes it works! But I prefer not using CF sometimes for cases where the server is far overseas, my ISP has usually better routes to the backend haha.

One example for me would be OVH Gravelines, I'm able to do 2+mb/s download but using CF would mean about 500kb/s, from my house in Singapore.

Otherwise, CF works great for local servers that don't peer directly with my ISP (it's costs a bomb to do so anyway), at non-peak hours at least.

Well ....every time I visit cloudflare blog...they are usually opening a new data center ....May be they will setup one near you....

BTW:

The whole point of cloudflare is caching and speeding up data delivery for websites...If you are just downloading files...it will send the request back to the original server...so I guess no use there ...

Yeah, it just doesn't work well for my usage of downloading files from my Kimsufi box. They got their DC in my country (Singapore) in like 2011, it's just their routing back to the backend that sucks probably.

It does a decent job in caching if I downloaded the file before though.

Do you have to completely download the file to be completely cached?
If not then there could be away ☺

I'm not sure, are you suggesting that I can just send partial requests or even just HEAD?

black

https://twitter.com/OVH/status/730139112372469760

OVH is getting involved... I expect 4 million active certificates when they do

noaman

@theroyalstudent

I'm not sure, are you suggesting that I can just send partial requests or even just HEAD?

Yes ...I have not played with CF that much.But if it caches the whole file then your problem could be solved....