Servercooties


  • Winner of the 2016 Presidential Election

    1_1459353166061_Screenshot_20160330-115030.png 0_1459353166034_Screenshot_20160330-115033.png

    Paging @accalia, @RaceProUK, @Onyx - servercooties' cert appears invalid to Chrome on my Nexus 6. It's not a StartCom problem because my site works fine...



  • @sloosecannon it expired earlier this month


  • Winner of the 2016 Presidential Election

    @ben_lubar did it? It's an April expiration?



  • Weird, Chrome on Windows 10 doesn't have an issue with the cert:
    0_1459353437189_upload-c11d9133-0744-4477-b25f-706de335135e


  • Winner of the 2016 Presidential Election

    @RaceProUK maybe it's not sending intermediate certs?


  • Winner of the 2016 Presidential Election


  • sockdevs

    hmm. yeah that's an issue. the main cert expires in 11 days too....

    @raceprouk, care to take a crack at fixing that? you should have root access to the server already



  • @accalia I have Friday off; it can wait until then


  • sockdevs

    @RaceProUK seems fair. it's not like there's sensitive information on that server anyway.



  • @accalia @RaceProUK might I suggest letsencrypt? That's what I use for *.lubar.me.



  • @ben_lubar @accalia's suggested that too



  • @RaceProUK here's some crap that might help you if you decide to go down that route:

    $ sudo crontab -l | tail -n 1
    30 3 * * 2 letsencrypt certonly --webroot --webroot-path=/usr/share/nginx/html --domain ben.lubar.me --domain lubar.me --domain tdwtf.local.lubar.me --domain discourse.local.lubar.me --domain nodebb.local.lubar.me --keep-until-expiring --text
    
    $ cat /etc/nginx/sites-enabled/discourse.local.lubar.me
    [snip]
    server {
        include /etc/nginx/lubar.me-shared.conf;
        listen 80;
        server_name discourse.local.lubar.me;
    [snip]
    
    $ cat /etc/nginx/lubar.me-shared.conf 
    include /etc/nginx/lubar.me-shared-ssl.conf;
    
    listen 443 ssl http2;
    # listen 443 ssl;
    
    location /.well-known/acme-challenge {
            allow all;
            root /usr/share/nginx/html;
            try_files $uri $uri/ =404;
    }
    
    $ cat /etc/nginx/lubar.me-shared-ssl.conf 
    ssl_stapling_verify on;
    ssl_stapling on;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 1440m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    # Using list of ciphers from "Bulletproof SSL and TLS"
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
    
    ssl_certificate_key /etc/letsencrypt/live/ben.lubar.me/privkey.pem;
    ssl_certificate /etc/letsencrypt/live/ben.lubar.me/fullchain.pem;
    ssl_dhparam /usr/share/nginx/dhparam.pem;
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    

Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.