Go | New | Find | Notify | Tools | Reply | |
| Member |
For this site. States that a self signed certificate is no longer "secure". Anyone else getting fed up with these way out in space security dweebs? I've stopped counting. | ||
|
Optimistic Cynic |
As a point of curiosity, did you just "update?" My Firefox has been bugging me to apply updates for a while now. I have not done so because I'm concerned that I'll hit the same issue WRT certificates signed by an "untrusted" authority (a Certificate Authority that is not in the club). I run several CA's for my clients, and one for myself, so I will be seriously inconvenienced by a change in the trust matrix like this. As I understand it, Firefox's latest versions have removed the ability to add non-default CA's to the list of approved signers. Ironically, this eliminates other security patches from being applied, so this "security enhancement policy" ends up making my browsing less secure. As I am sure the OP understands, this is naked coercion to force certificate users to buy their certs from a commercial CA. | |||
|
| Banned for showing his ass |
I updated my Firefox two days ago ... and having no security issues or popups. In the address bar the lock symbol does have a red diagonal line through it suggesting the address is not secure. | |||
|
| Just because you can, doesn't mean you should |
None here, so far. ___________________________ Avoid buying ChiCom/CCP products whenever possible. | |||
|
His Royal Hiney |
You should see if there's an option to include this site as a "trusted site" in your browser option. "It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946. | |||
|
always with a hat or sunscreen |
You're just being told the site is http vice the more secure https... no biggie. Certifiable member of the gun toting, septuagenarian, bucket list workin', crazed retiree, bald is beautiful club! USN (RET), COTEP #192 | |||
|
Member |
This has been asked in the SIGforum Office previously. It's probably been there all along but you didn't notice it. I didn't either until it was pointed out. Unless you're buying something from a site that probably shouldn't be a concern. | |||
|
For real? |
Firefox blocked my work email because it's a self signed certificate. Not minority enough! | |||
|
W07VH5 |
It's probably due to avatars linked to unsecure servers. | |||
|
| Member |
When it popped up this morning I noticed an Advanced tab and clicked on it. After the warning descriptions basically stating tat the universe would collapse into a super dense black hole I clicked on proceed and got to Sigforum. Since doing that I have had no more popups. Do have a red line thru the padlock but I trust this forum so I'm not a bit concerned. I've stopped counting. | |||
|
| Member |
I've stopped counting. | |||
|
| Thank you Very little  |
Brave reports SF and Not Secure, since SF is a non Https url... Ain't no thang, it's just the browser letting you know about the page you are on, and security as it relates to private info. | |||
|
| Member |
I'm running version 86.0 (64 bit), the latest version, and I have no issues visiting SigForum. | |||
|
Nullus Anxietas |
Nah. Let's Encrypt certs are trusted, have a verifiable trust chain, and are free. I'm using them on five servers. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Republican in training |
As it should. Why is your work using a self signed certificate? -------------------- I like Sigs and HK's, and maybe Glocks | |||
|
| Optimistic Cynic |
Letsencrypt runs a fine service and they are a credit to the community. However, obtaining a cert. for a system that cannot be contacted by the Letsencrypt issuing servers can be frustrating, especially because they seem to want to preferentially query slave NS's for the TXT records, and time out before slave updates are scheduled. Even if you proactively push updates, it still seems to take forever to validate. All this could be avoided with an account-based validation mechanism, e.g. prove you control the domain -> you are trusted for a year, would do it, but having to go through the rig-a-ma-role every three months on each and every cert. makes relying on Letsencrypt impractical for many situations, and more than dozen or two certificate-using instances. There is another practical consideration, while lower-level administrative staffers can be tasked with renewing commercial certs., I have found no way to facilitate interaction with Letsencrypt validation without having to issue them more responsibility than management finds comfortable. Not necessarily because the staff is not trustworthy, but because the consequences of error can be significant. It is much more efficient/practical to set up a client CA, roll you own, and install the root cert. as a trusted signer on whatever clients need it. Not to mention that controlling your own CA allows easy issuance of individual certs. that validate the user as well as the server. Nice to be able to lock out a departing employee by revoking their cert. | |||
|
| Nullus Anxietas |
Indeed, but there are ways around that. E.g.: I have a Synology NAS upon which I run Synology Surveillance Station. I wanted SSL connections to it from off-site and I wanted a verified trust chain. Since I run my own Janus DNS (DNS that faces two ways, giving different answers to the LAN and the Internet), I was able to have my existing public web server pretend to be the NAS. Then hook scripts take care of getting updated certs to the internal server and restarting services on the NAS, when necessary.
I don't use domain records. I use the well-known URI ACME mechanism.
You're asking a lot for something that provides a cert with a trust chain that's free. The additional support resources that would have to go into such a thing would make "free" impractical.
First of all: Let's Encrypt now handles domain certs, but the renewal thing doesn't have to be a problem, anyway. I use a tool called "dehydrated", run under a cron job once-a-week. Certs get updated automatically, as-needed. Dehydrated hook scripts copy new certs into the appropriate directories, adjusts permissions, and restarts services, as-necessary. I set it up, once. I test it via their staging server. Clone the directory from which I tested. Make one minor change to the master config file (to change from the staging to the live servers). Set up the cron job. Done. I get a weekly email with the output of the script. Here's the output from one that does just a single host: # INFO: Using main config file /usr/local/libexec/dehydrated/config Processing host.example.com + Using certificate specific config file! + HOOK = /usr/local/libexec/dehydrated/hook.d/host_example_com.sh + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 20 11:03:08 2021 GMT (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for host.example.com + 1 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for host.example.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... Restarting services... dovecot stop/waiting dovecot start/running, process 5451 * Stopping Postfix Mail Transport Agent postfix ...done. * Starting Postfix Mail Transport Agent postfix ...done. * Restarting web server apache2 ...done. + Done!
Fair enough, but entirely impractical for a public server such as, for example, SF. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Muzzle flash aficionado  |
I have absolutely no idea what you guys are talking about. I'm using Firefox and have not noticed any unusual happenings. flashguy Texan by choice, not accident of birth | |||
|
| Optimistic Cynic |
I'd like to take a moment to publicly thank ensigmatic for taking the time to point out a few tools and changes in the practical use of Letsencrypt certificates. This will make my life significantly easier (at least if CoVID runs out of steam before I do). Thanks for the information, and thanks also for the reminder to get off my lazy ass and do my homework before posting my out-of-date opinions. | |||
|
| Nullus Anxietas |
You're quite welcome  "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024