New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's encrypt
Hey Guys,
Should we need any control panel like cpanel to work with Lets encrypt ssl , I have a site hosted in centos server with no control panel on it and apache webserver, site is working well, but can't afford a paid ssl now, so looking for cost effective possibilities,
any experienced ones with no control panel servers+ Lets
Ty
Comments
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
You can also use Cloudflare if you want caching + shared SSL too for simplicity.
i use certbot and its make easier to install LE. here:
https://github.com/certbot/certbot
I like https://github.com/Neilpang/acme.sh
If you're just looking for a simple (web) front end to handle Lets Encrypt generation, take a look at https://zerossl.com/ which is essentially a (supposedly safe/secure) "wrapper" around the LE SSL generation process.
If you're comfortable with shell/cli (etc.) then take a look at dehydrated which along with hooks like lexicon will allow you to reasonably simply/quickly get a LE SSL cert (including wildcard).
All of the above are open source/freeware and are pretty popular/tested/trusted.
certbot
No. We should not. And do not.
This. There are other options but this is what I use.
certbot, as well, detailed instructions on its site.
For larger ordering and renewal of certificates ( > 500 ) I would advise you to use cerbot as it's more stable than say acmetool. All in all better start with certbot even if you have one or a few domains and try to avoid acmetool.
If you can live with the de facto MITM by CloudFlare... Also, expect a lot of garbage domains in the shared SSL. I mean, most people won't see it, but it's quite ugly once you discover it.
If you want some super simple, just set up a reverse proxy with Caddy or switch entirely to Caddy.
That is absolutely not equivalent to using Let's Encrypt, and not a good alternative at all.
When you use Let's Encrypt, you keep control over your own traffic, LE just provides the certificate for your server to use and the traffic gets decrypted by your server itself. Nobody can read the traffic between your server and your users.
When you use Cloudflare, they decrypt your traffic and then pass it on to your server. This means that Cloudflare can always read all traffic between your server and your users (and if you don't set up TLS to the origin server, any provider inbetween Cloudflare and your server can too).
Handling your own TLS is the only way to handle TLS securely. For that, you want Let's Encrypt or some other CA.
do you mean the hoster where the files are hosted? or some other unknow party between the hoster and cloudfalre?
Unknown parties between the hoster and Cloudflare (if you're not using TLS to the origin). If you are using TLS to the origin, then it's just Cloudflare who can read all your traffic - although I'm not sure that that's any better.
You can use Vestacp (http://vestacp.com/) its easy to install, work with boxes from 512MB RAM, and supports Letsencrypt, and it automatically renew the certificates, you just need to activate the Letsencrypt SSL in your site and forget.
just dont forget to harden your installation(change ssh port, hide phpmyadmin, disable vesta API, etc).
I've been making csr's with command line openssl and using dehydrated -s to get certificates from the csr's. It works fine and is easily scriptable. I think of submitting a patch to the dehydrated author to include a minimal web server in dehydrated so it automates everything, but I wasn't able to find his email address so meh. So I use "python -m SimpleHTTPServer" for dehydrated purposes instead of messing with something like apache.
Ive been using this sometimes
Very easy and not much setup to do on the vps:
https://www.sslforfree.com
It issues LE certs and you can verify the domain through FTP login, File upload or DNS :P
Also Porkbun has automatic letsencrypt certs. I think it is done by a MITM method since I don't see any other way. But it could be better than nothing depending on what you're doing.
So it's safe to use VestaCP now?
Could be non-MITM cause letsencrypt supports DNS-based authorization iirc.
Doesn't there still have to be a CSR, generated by something in possession of the private key? All I meant by MITM is that they do that for you. I don't mean they intercept your web server traffic like Cloudflare.
Yes, its safe, i use it in a lot of server, on the last "exploit" i only got one server hacked and it was a fresh instalation, the others didnt have any problems, thats why i say to harden your installation.
Regards!
I hate to be that guy you probably shouldn't run your own server if you can't even do the most basic googling..
Literally typing in centos (version) and let's encrypt will result in tons of full tutorials on the topic.
I'm normally all for helping out new guys but you gotta try at least a little before asking for help..
+1 for this.
Google search