Your cert is about to expire... we'll let you count the ways we screwed up ours.


  • Discourse touched me in a no-no place

    (Anonymonged a bit):

    Ok... (after accepting the certificate anyway, so sue me..)

    Not that I'm using that cert any more, but still, seriously guys? You're in the business of issuing certs and fuck up your own? At least I'm assuming it's not Chrome this time...

    Nope. Firefox doesn't like them either:



  • To be fair that old algorithm was only disabled a couple weeks ago.

    Still. Why were they using it any time in the last FIVE YEARS?



  • I remember when cacert wasn't trusted at all, so I guess this is an improvement?

    Also,

    UPDATE: Unfortunately the Re-Signing event had to be postponed due to shortage of manpower in the different teams involved in the process. The currently a new date is being searched. As soon as the new date is available it will be announced here.

    Oops!



  • Up until last year almost every site was SHA-1 and all CAs with the exception of GoDaddy issued SHA-1 certificates and only issued SHA-2 certs by special request.



  • That doesn't even make sense. Their root is signed with MD5 but root certificates aren't trusted because of their signatures. For a while there was an old Verisign root still in use that used MD2. What matters are the signatures on the intermediate and endpoint certs.



  • So it's not related? Cacert is still not trusted by browsers? I guess letsencrypt is going to take over completely!





  • @ben_lubar said:

    certificates issued by CAcert are not as useful in web browsers as certificates issued by commercial CAs such as VeriSign

    OK, so I should have researched before saying anything. I hadn't checked with them for so long and just assumed that they would have gotten their root certificate installed almost everywhere.

    So for the OP of this thread, their own certificate would have the same problem (authority invalid), but Firefox checks the type of certificate it is before checking whether it is signed with a valid root.



  • @PJH here's how I do SSL on my server:

    crontab:

    30 3 * * 2 letsencrypt certonly --webroot --webroot-path=/usr/share/nginx/html --domain ben.lubar.me --domain lubar.me --domain tdwtf.local.lubar.me --domain discourse.local.lubar.me --domain nodebb.local.lubar.me --keep-until-expiring --text
    

    /etc/nginx/lubar.me-shared.conf:

    include /etc/nginx/lubar.me-shared-ssl.conf;
    
    listen 443 ssl http2;
    
    location /.well-known/acme-challenge {
            allow all;
            root /usr/share/nginx/html;
            try_files $uri $uri/ =404;
    }
    

    /etc/nginx/lubar.me-shared-ssl.conf:

    ssl_stapling_verify on;
    ssl_stapling on;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 1440m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    # Using list of ciphers from "Bulletproof SSL and TLS"
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
    
    ssl_certificate_key /etc/letsencrypt/live/ben.lubar.me/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/ben.lubar.me/fullchain.pem;
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    

    And then (for example) the NodeBB site:

    server {
        include /etc/nginx/lubar.me-shared.conf;
        listen 80;
        server_name nodebb.local.lubar.me;
    
        location / {
            proxy_pass http://unix:/usr/share/nginx/tdwtf-nodebb.sock/sock:/;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_http_version 1.1;
        }
    }
    

    A similar setup will work on any system with the ability to execute python scripts, an HTTP server, and a filesystem.

    As an added bonus, it works in pretty much every browser.


    Filed under: insert embedded system meme here


  • Garbage Person

    DES? Really?

    You'd be much better off disabling the DHE/EDH ciphers. There's just a whole lot of hurt in there.



  • 3DES. For older browsers. It's not insecure, just old.



  • 3DES is three times as secure, amirite?



  • Actually yes, it would be (168-bit vs 56-bit) if it weren't for the meet-in-the-middle attack, which reduces its effective strength to 112 bits.




Log in to reply