Lets encrypt in the wild

So i have tlsa (my blog) entries for a letsencrypt (my blog) domain name here in the zoo,   Since le certs magically renew (my blog) with at least a month on them it throws off my dnssec schedule all the time. The fact that my tlsa records might be off is liveable with.

Lets encrypt appears to be one of the few ca’s with ethical owners – Symantec/Startcom and others have falllen by the wayside with comodo now owned by a firm that sells tls breaking services to governments

My calendar is kept busy getting updates to its frustrating – i think i will sign the zone some point in the future and  then discover that the letsencrypt cert means it was already needing it.

gay oxbridge spies perfect government employees!

The tls market appears to be collapsing and none of it is the fault of customers.  I can cron my way out of it and as most people have never heard of tlsa or even check it it is not the end of the world.

I can live with tlsa out of sync issue after all if the only choice i have is to buy tls from a firm that also breaks it if your a government.  An odd deal.

lets encrypt tls

Been using for a while now and now i using dns entries to validate , the certbot software (my blog\ is a lot better than it used to be as it does not stacktrace every two seconds.

Having to do multihost is also possible.- although tlsa records is something i have yet to automate in the zone files when the tls renewal happens.

Not that anybody checks those anyhow.

After the change of ownership of paid ssl providers to include a firm that hacks ssl/tls for governments this is not me being cheap but ethical – how safe are those issued certificates (ny blog) from the hacking firm also owned by the parent company.

tls renewal time from the last time i did them

It was tls renewal time once again in the past so i decided to switch suppliers (my third) and go for sslmate after all i you find horrible holes in systemd then you need to be rewarded.  I had no idea what i was letting myself in for but in fact it is way better than letsencrypt (my blog) as it uses email contacts instead of some shit http server to validate.

This is paid for rather than ‘free’ and the sslmate does work nicely as a cli although dont ask it to make a postfix tls instance.  If you use microsoft windows then your not intelligent enough imho.

Once you have an account (a website job) and the software you just ask for mail10.zoo1 and it creates the csr and once validated by the carbon based unit it takes the money and deposits four files on your computer.

Being weird i use mail10.zoo1 for email tls and generally know what i am supposed to be doing but it should work as a www thing if your average.

babymemeComodo issue the certificates and most of my changes worked on the first attempt. Comodo’s new owner is an issue.

That’s basic usage for one host.  You can also specify a spending limit per day so if you have issues like that then a low amount means your get an email saying so.

I need multi host ssl for .zoo and they offer it at a most reasonable price so .zoo and mail10.zoo will all be covered with tls.  Doing this with other resellers would mean an expensive wildcard cert that would unused or two standard ssl certs and while it is not that hard i want something better.

Multi host as an experiment did not work the way i expected and the firm did not respond to my email.  However i have enough brains to work around the issue.

Generally i can do dane (my blog) and so website ssl but only on http://www.zoo not .zoo. it was not worth the extra money to add it but config wise with the extra hosts in the certificate it makes hashing of tlsa easy.

Next year i do not see much point in long term certs as things change say sha1 replaced with 256 so at some point your going to replace the cert with a new one but new hash.   Its still work.

I was able to get a cert and the chain files and adjust configs rather than be inflicted with apache configs and unknown postfix something that other things insist on fixing despite me knowing what i am doing.

Would i do it again – individual is cheaper and perhaps worth setting up say www. and *.zoo so this is not a total waste of time one i will put down to experience despite wasting http://www.mail10.zoo as an unused address.

The more complex the cli command the less intuitive it becomes and the documentation on the website is lacking but kind of guessable.

Maybe i go for a wildcard ssl next time.

Both times i got a pdf invoice.

 

Symantec leaves the ssl market

mafia run the british red cross

Symantec i read have sold there ssl interests after fucking up ssl (tls) certs with the green bars.  Quite how these security geniuses ended upon such a state is noteworthy but probably leaves many of you with bad unverified certificates rom them and there brands that will stop working.

This has happened before (my blog) so size is no guarantee of administration.  Oddly these are the same people complain bitterly about others and not there own behaviour in the past.

I do not have any Symantec brands of tls but i do not want any of there products in the zoo.

It feels like money trumps integrity.   Most of us do tls once and never have to worry about it it for a year or so but Symantec have other plans for you.

CS Academics who can’t run an email server

nugura.cs.usyd.edu.au tried to send the zoo something alas there a bit shit a mail servers.  Lets take a look….

smtpd[*]: NOQUEUE: reject: RCPT from nugura.cs.usyd.edu.au[129.78.110.124]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<caa_verification@nugura.cs.usyd.edu.au> to=<abuse@zoo> proto=SMTP helo=<nugura>

Oh well it would have been interesting to see (my blog) that.but i am not that bothered.

the amusing antics of the ssl mafia

mafia run the british red cross

Bananas was reading this (not here) when the whole concept of paid tls seems like a make work scheme.

For the record the zoo has ssl, dnssec and other things but our cents for tls are the cheap ones (dv), – we also have one lets-encrypt doing something boring.

For ov and ev certs even the cert providers fail the validation test Symantec has been issuing then without these checks.  No i am not making that up these are supposed to be trust worthy oh well as long as money is handed over the mafia do not really care.

I have no problem with tls except the way it is procured and set up – for instance how many sites with ssl/tls have caa records, or tlsa.

If you have tls certs and have no fucking clue what a caa is (not regulation of aircraft) then your a problem here too.

So the ssl mafia has been complaining and while i am ok with tls1.3 i do wonder if i will still need my zoo email to handle tls1.0 because some retard at our energy company has not even heard of tls 1.2.

Other shit things the ssl mafia have come up with include hkpk and the ideas continue with httpev: because https is er could mean anything apparently.

The link is an informative read about the perception of things and the desperation of the ssl mafia to differentiate and not follow there own rules while whining about things.

As the browser makers seem not inclined to do the extended bidding of the ssl mafia and people think what they think i am certainly not inclined to buy ev certs, for instance who would the average smart phone user know that the ev certified site they visited is genuine ?

These are valid concerns but the reaction of the ssl mafia is as usual screwed up.  These goodfellas are great are they not?

caa records the hardish way

Sisyphus is still a role model

Sisyphus is still a role model

Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.

To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog).  It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.

mafia run the british red cross

the ssl mafia

Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.

So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.

So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!

It will be doubtful the zoo will purchase gandi ssl (tls) again

*nothing to do with aircraft

the unscheduled lets encrypt renewal by 21 days

are-you-serious-wtf-meme-baby-faceLets encrypt is a free tls thing and a bit of a game for me to do email in tls i had to make a web site just to get the bloody tls that assumedly lasts three months and then i have to redo my tlsa records for dane.

I wrote down the date but 21 days early it got renewed all on its own, i only know this since i got an email about this fucked up renewal as the tlsa recrds where wrong.  How the fuck did 90 days become 69.  That’s with the zoo doing some pruning of lets encrypt cron jobs and me not knowing precisely what calls the update in debian (not me).

I renewed my tlsa records (my blog) but its process to call for updates and inform you is something i have to figure out and that’s even looking at the logs in /var/log/letsencrypt which is a joy to read due to stack traces.

Grr

 

Letsencrypt finally figured out (meh)

leOne afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).

The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.

This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.

I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier

gets worse

gets worse

Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.

With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.

I used

certbot certonly –webroot -w /var/www/<host>/ -d <host>

Which picked up the config rather than assume i have only one ip address.

Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket.  Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.

Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer.   I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.

For dane (my blog)  i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.

Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself.  tls encryption was a no in the cheapest gandi* offering when i looked.

Letsencrypt works in postfix too once you set cert,ca chain,and private key,  tlsa hashing was successful too a benefit of doing the apache ssl config.

These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.

I have now got to write a index html page and a404 explaining the reason for this bizarre oddity.  It’s a make work scheme although it will work the default index.html we all know and love..

Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.

The cron scheduling may or may not be available with basic or average hosting.

I suppose it is better than self signed.

babymemeThis i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.

Works here though setting hsts (my blog)  to three months is deemed ‘bad’ by some.

*gandi is a hosting firm not an indian