New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You should put your Entity / Organisation / Company location. So in your case you should put US.
Domain is the only thing it care, you have to prove that domain is yours.
https://github.com/acmesh-official/acme.sh
You can use any information in the details.
you can use acme.sh
As long as you have control of the domain name
In the old days when a cert as well as the entity information with it had some kind of meaning you would have put in the info of the entity who owned the domain - not the server or VPS, not the router nor the toaster but the domain.
Nowadays since LE offers certs for free and basically no significant validation at all, other than someone requesting a cert having some kind of control over the domain name or the server it's hosted on -plus- when "encrypt everything! Always!" has become a religion, the real value of most certs for private entities is to avoid the browsers complaining about some domain, oh gawd, not being served over https.
So feel free to enter "42" as the owner and some imaginary address on the planet Mars.
I would suggest something like traefik or caddy. Nowadays I don't hate TLS anymore.
Oh, btw ...
Notes (by myself):
To check the chain is recommended
To use the most current TLS version - which is 1.3 - is recommended
My personal advice: stay away from TLS 1.3 and try better ssl/tls library alternatives to openssl.
Reason: Yet another TLS clusterf_ck is not unexpected. "sakkurity ekspurts" who seriously think that making the protocol faster by cutting down RTT while/by considerably increasing complexity is the priority instead of creating an actually more secure TLS version, are not security experts but morons.
Reason 2/proof: I quote "It was found using the new static analysis pass being implemented in GCC, -fanalyzer".
That GCC "analyzer" is not a real static analyser, far from it. The GCC in charge guy himself spelled it out honestly and clearly; it's a start, a first attempt at implementing some limited static analysis into GCC. Real professionals at the very least use the built-in CLANG static analysis capabilities which are far more extensive than what GCC currently offers. For something of the importance and sensitivity of openssl real professionals actually use a real (standalone) static analyser.
But hey TLS 1.3 is faster than 1.2 and LE throws free certs at everyone, so let's sing the holy sakkurity credo altogether "Encrypt everything! Always!" lalala
Acme.sh is good!
What is your opinion of libressl?
Double-sided. Pro: The OpenBSD people did it. Anti: Some OSs & distros tried it but went back to OpenSSL plus (and more important IMO) it's largely but a somewhat cleaned up version of OpenSSL.
Iff one absolutely has to use SSL/TLS I'd look at mbedSSL.
The good news: there are now a few projects working on new (fresh slate) SSL/TLS implementations with security in mind. But I see two (major + smaller ones) problems with those, (a) they progress very slowly, and (b) SSL/TLS has serious flaws so either those projects aim for conformity which means they implement problems too or they basically redesign parts of TLS and lose compatibility. Plus afaik those projects will be behind in versions (e.g. currently aiming for TLS 1.2). Oh an they are implemented in not exactly wide spread languages like e.g. f-star.
You can use sslforfree.com or certbot if you have root access on the host. you won't need anything except the domain.