Servercooties
-
Paging @accalia, @RaceProUK, @Onyx - servercooties' cert appears invalid to Chrome on my Nexus 6. It's not a StartCom problem because my site works fine...
-
@sloosecannon it expired earlier this month
-
@ben_lubar did it? It's an April expiration?
-
Weird, Chrome on Windows 10 doesn't have an issue with the cert:
-
@RaceProUK maybe it's not sending intermediate certs?
-
@sloosecannon yep, that's it.
https://www.ssllabs.com/ssltest/analyze.html?d=servercooties.com&latest
-
hmm. yeah that's an issue. the main cert expires in 11 days too....
@raceprouk, care to take a crack at fixing that? you should have root access to the server already
-
@accalia I have Friday off; it can wait until then
-
@RaceProUK seems fair. it's not like there's sensitive information on that server anyway.
-
@accalia @RaceProUK might I suggest letsencrypt? That's what I use for *.lubar.me.
-
@ben_lubar @accalia's suggested that too
-
@RaceProUK here's some crap that might help you if you decide to go down that route:
$ sudo crontab -l | tail -n 1 30 3 * * 2 letsencrypt certonly --webroot --webroot-path=/usr/share/nginx/html --domain ben.lubar.me --domain lubar.me --domain tdwtf.local.lubar.me --domain discourse.local.lubar.me --domain nodebb.local.lubar.me --keep-until-expiring --text
$ cat /etc/nginx/sites-enabled/discourse.local.lubar.me [snip] server { include /etc/nginx/lubar.me-shared.conf; listen 80; server_name discourse.local.lubar.me; [snip]
$ cat /etc/nginx/lubar.me-shared.conf include /etc/nginx/lubar.me-shared-ssl.conf; listen 443 ssl http2; # listen 443 ssl; location /.well-known/acme-challenge { allow all; root /usr/share/nginx/html; try_files $uri $uri/ =404; }
$ cat /etc/nginx/lubar.me-shared-ssl.conf ssl_stapling_verify on; ssl_stapling on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 1440m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; # Using list of ciphers from "Bulletproof SSL and TLS" ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; ssl_certificate_key /etc/letsencrypt/live/ben.lubar.me/privkey.pem; ssl_certificate /etc/letsencrypt/live/ben.lubar.me/fullchain.pem; ssl_dhparam /usr/share/nginx/dhparam.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";