Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Let's Encrypt certificates
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Let's Encrypt certificates

Tony40Tony40 Member

Hello Everyone!

I got a newbie question about Let's Encrypt certificates.

When I request a certificate do I put my server location or my address?

My server is in Germany, I live in the US...is not for a company just personal website.

Comments

  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    You should put your Entity / Organisation / Company location. So in your case you should put US.

    Thanked by 1Tony40
  • Domain is the only thing it care, you have to prove that domain is yours.

    https://github.com/acmesh-official/acme.sh

    Thanked by 2Tony40 TheKiller
  • You can use any information in the details.

  • niuwoniuwo Member

    you can use acme.sh
    As long as you have control of the domain name

    #Debian/Ubuntu
    apt-get update -y &&  apt-get -y install curl cron socat
    #Centos
    yum update -y &&  yum -y install curl cron socat
    
    #install acme.sh
    curl https://get.acme.sh | sh
    
    Thanked by 3verjin Tony40 proxima
  • jsgjsg Member, Resident Benchmarker
    edited April 2020

    @Tony40 said:
    When I request a certificate do I put my server location or my address?

    My server is in Germany, I live in the US...is not for a company just personal website

    In the old days when a cert as well as the entity information with it had some kind of meaning you would have put in the info of the entity who owned the domain - not the server or VPS, not the router nor the toaster but the domain.

    Nowadays since LE offers certs for free and basically no significant validation at all, other than someone requesting a cert having some kind of control over the domain name or the server it's hosted on -plus- when "encrypt everything! Always!" has become a religion, the real value of most certs for private entities is to avoid the browsers complaining about some domain, oh gawd, not being served over https.

    So feel free to enter "42" as the owner and some imaginary address on the planet Mars.

  • snzsnz Member

    I would suggest something like traefik or caddy. Nowadays I don't hate TLS anymore.

  • jsgjsg Member, Resident Benchmarker

    Oh, btw ...

    openssl.org said:
    OpenSSL Security Advisory [21 April 2020]

    Segmentation fault in SSL_check_chain (CVE-2020-1967)

    Severity: High

    Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension.
    The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

    Notes (by myself):
    To check the chain is recommended
    To use the most current TLS version - which is 1.3 - is recommended

    My personal advice: stay away from TLS 1.3 and try better ssl/tls library alternatives to openssl.

    Reason: Yet another TLS clusterf_ck is not unexpected. "sakkurity ekspurts" who seriously think that making the protocol faster by cutting down RTT while/by considerably increasing complexity is the priority instead of creating an actually more secure TLS version, are not security experts but morons.

    Reason 2/proof: I quote "It was found using the new static analysis pass being implemented in GCC, -fanalyzer".
    That GCC "analyzer" is not a real static analyser, far from it. The GCC in charge guy himself spelled it out honestly and clearly; it's a start, a first attempt at implementing some limited static analysis into GCC. Real professionals at the very least use the built-in CLANG static analysis capabilities which are far more extensive than what GCC currently offers. For something of the importance and sensitivity of openssl real professionals actually use a real (standalone) static analyser.

    But hey TLS 1.3 is faster than 1.2 and LE throws free certs at everyone, so let's sing the holy sakkurity credo altogether "Encrypt everything! Always!" lalala

    Thanked by 2bdl Tony40
  • Acme.sh is good!

  • raindog308raindog308 Administrator, Veteran

    jsg said: try better ssl/tls library alternatives to openssl

    What is your opinion of libressl?

  • jsgjsg Member, Resident Benchmarker
    edited April 2020

    @raindog308 said:

    jsg said: try better ssl/tls library alternatives to openssl

    What is your opinion of libressl?

    Double-sided. Pro: The OpenBSD people did it. Anti: Some OSs & distros tried it but went back to OpenSSL plus (and more important IMO) it's largely but a somewhat cleaned up version of OpenSSL.

    Iff one absolutely has to use SSL/TLS I'd look at mbedSSL.

    The good news: there are now a few projects working on new (fresh slate) SSL/TLS implementations with security in mind. But I see two (major + smaller ones) problems with those, (a) they progress very slowly, and (b) SSL/TLS has serious flaws so either those projects aim for conformity which means they implement problems too or they basically redesign parts of TLS and lose compatibility. Plus afaik those projects will be behind in versions (e.g. currently aiming for TLS 1.2). Oh an they are implemented in not exactly wide spread languages like e.g. f-star.

    Thanked by 1raindog308
  • vingohostvingohost Member, Host Rep

    You can use sslforfree.com or certbot if you have root access on the host. you won't need anything except the domain.

    Thanked by 1proxima
Sign In or Register to comment.