** Imran Chaudhry via Hampshire <hampshire@???> [2017-02-07 07:52]:
> On 1 February 2017 at 21:01, Thomas Kluyver via Hampshire
> <hampshire@???> wrote:
> > I'm not at all an expert on HTTPS, but if you're running a public web
> > server now, the standard advice is to use letsencrypt
> > (https://letsencrypt.org/ ) to create certificates. They're free and you
> > can get them from an API, but unlike a self-signed certificate, it will
> > be trusted by all major browsers.
> >
> > On Wed, Feb 1, 2017, at 08:58 PM, Stephen Davies via Hampshire wrote:
> >> Along with the general move to using HTTPS I configured my webserver to
> >> allow HTTPS connections.
> >>
> >> However one of my users reported this error.
> >>
> >> The certificate is not trusted because it is self-signed. The
> >> certificate is only valid for bonzo.lan The certificate expired on 21
> >> January 2017 at 13:51. The current time is 1 February 2017 at 20:49.
> >> Error code: SEC_ERROR_UNKNOWN_ISSUER
> >>
> >> Some expert guidance on how I can resolve this would be most welcome.
> >> The system was built just over a year ago hence the certificate expiry.
> >> As it said, the cert currently in use is self signed but as yet I've not
> >> explicitly done anything regarding certs in the webserver.
>
> +1 for letsencrypt.org - I recently switched to HTTPS for all my
> hosted server domains and was very happy to find a "letsencrypt"
> package for Debian that automated the entire process. It even
> auto-renews the cert for you.
** end quote [Imran Chaudhry via Hampshire]
Seconded, I've been using Letsencrypt for a while now (just checked and it
looks as though I signed up back in November 2015), and I've had no problems in
that time. I used to use StartSSL and the manual renewal and install was a
pain, particularly if you'd managed to let your personal account certficate
expire and lost access to the certificates you already had (thankfully I
managed to merge the accounts I had when they did a system upgrade a while
back).
Initially the 90 day renewal on Letsencrypt seems as though it ought to be a
pain, but with the automated renewal I just note that it has happened when my
cron job emails me and get a nice satisfied feeling that all is working fine :)
I currently look to have 13 certificates on the go, and all of those cover
multiple sub domains (even if it is just the base domain and a www, but
frequently a few sub domains as well (forums., gallery., wildlangstone., exim.,
etc.). I recently added my pop/imap mail server certificates to the process as
well (I'd forgotten they were still with StartSSL) and that was much easier
than expected - took about 10 minutes including working out how to do it :)
--
Paul Tansom | Aptanet Ltd. |
https://www.aptanet.com/ | 023 9238 0001
Vice Chair, FSB Portsmouth & SE Hampshire Branch |
http://www.fsb.org.uk/
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------
