New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
oh right. these are the guys who believe in the magic of class c ips even though those haven't existed since the 90s?
Google actually said that they would rank SSL sites higher. This was the carrot and they posted this on their blog years ago. The stick is slowly being rolled out in the form of the shaming of plain http sites in chrome browser. You see Google wants everyone to go SSL because NSA.
So @Sam_NH, I mean Mark, what is going to be your next company after you abandon the one you're trying to advertise here in your signature?
https://beta.companieshouse.gov.uk/company/10703080/officers https://beta.companieshouse.gov.uk/company/10173687/officers https://beta.companieshouse.gov.uk/company/09833899/officers https://beta.companieshouse.gov.uk/company/09372306/officers https://beta.companieshouse.gov.uk/company/08808104/officers https://beta.companieshouse.gov.uk/company/09567214/officers https://beta.companieshouse.gov.uk/company/09567460/officers https://beta.companieshouse.gov.uk/company/08540653/officers https://beta.companieshouse.gov.uk/company/08079314/officers https://beta.companieshouse.gov.uk/company/08477864/officers
Yup, but what @William and @deadbeef were saying is that free ssl would rank less that a paid one which shouldn't happen as the goal is to encrypt all the data from user -> server or vice versa.
Basic answer : LetsEncrypt is better than nothing, its free anyway. And grab one of commerical cert for production / commercial purpose.
FYI : LetsEncrypt doesnt support sub-subdomain and they are limitting the creation and renewal request. (For me) it doesnt suite for (my) critical business process.
In essence yes but with regard to expiration time and renewal of your certificate it would be easier with a paid certificate if you are going full https because they usually last for a year and you can extend them longer. I choose a paid certificate as it is cheap and many times you can have a verification logo that links to a protected site and may increase conversion.
If you use Let's Encrypt and your certification does not renew on the HSTS standard then your website will be down. I don't think that it is worth it.
I use Let's Encrypt but on my my e-commerce website I use a paid certificate. God bless you!
Yeah that one line cron job was tough. Now I never have to think about renewal, not even a year from now. Actually mine is easier than yours
What prize do I win?
lol
I was speaking more to not being able to certifiy based on a flaw in the program or code. The cron job is easy; however, if Let's Encrypt changes the coding or your cron job fails then your site will be down. Please keep in mind I am speaking to someone also having full https.
This is relevant as Let's Encrypt removed support for Python 2.6. You may check out this issue https://github.com/certbot/certbot/issues/1046 . If you had the cert and if it did not renew then your site would be completely down.
I am not bashing Let's Encrypt as I stated that I use it but not on a working/production eCommerce site. God bless you!
since the @OP is naughty I shall semi hijack the thread. Have there been any news of lets encrypt supporting wildcard style? Or do you still need to create one per subdomain?
Also link your favourite guide / script for lets encrypt!
@Nihim given that the minimal configuration for ACME seems to already be taken for creating and vending certificates, I highly doubt that there will ever be a semi/mostly anonymous means for LET wildcards.. at least intentionally.
thanks though I hope there is a --lighttpd flag
My HTTPS sites always do horrible with ranking compared to my regular HTTP ones :-(.
As I know search engines will start to discredit HTTP and not HTTPS (SSL). And nothing hear about discredit Let's encrypt.
So much FUD in this thread.
The only ranking I know about related to SSL is that Google said they would start ranking SSL sites slightly higher vs non SSL. I think part of that was in response to the emerging free LetsEncrypt service that they are very supportive of.
So there is NO WAY they are ranking LetsEncrypt lower than other SSL.
Also, Google Chrome will mark HTTP as Non Secure.
I take it you've never used Let's Encrypt...
The LE cron job doesn't wait until seconds before the cert is due to expire to reissue. If it fails you have time to investigate and repair.
And if a cron job fails and someone doesn't notice, then they're a shitty sysadmin. Even taking the crudest route available, the crontab's MAILTO will tell you if a job fails.
Well yeah, Let's Encrypt sucks...I was taken that as a given :-)
This is a bad thing. Even the biggest companies constantly forget to monitor the duration and let the certificates expire. With automatic renewal, that's just not an issue. Additionally, shorter periods increase security because certificate leaks do happen, and aren't always noticed.
That's not going to happen, LE will be fully backwards compatible. But even if it fails due to a network error or whatever, you are hopefully also monitoring the cronjob, so you can fix it before certs expire.
Did you even read that bug? Because 2.6 is supported and was before their go-live.
You're talking about a bug that existed in alpha pre-released back in 2015...
Not only that -- but they even provide expiration notice emails, so if the cron falls over with max ~24 days to expiry, they'll send an email at 19 and 9 days to expiry. Not sure if there's any more after that.
There's no excuse for missing it
Wow, I guess people do not understand that I have no problem with Let's Encrypt. The issue comes when you go to full https site on preload. When your site is preloaded it may take weeks to get off the list. You cannot have http at all.
The Let's Encrypt is stable but if you run an "Ecommerce" site it is downtime that you cannot afford. Using a paid certificate you at least have a year. It is more time instead of price. You do not have to preload your website but it may be a major "boost" to SEO.
A selected subset of the members of the preloaded HSTS list:
I think they may have taken away the support and re-added when there were problems.
https://github.com/certbot/certbot/pull/957
This whole expiration discussion is kind of moot... as @raindog308 mentioned, the cron job tries repeatedly to renew. If it fails, it fails; you'll figure it out quick enough. It's still easier and less work than other CAs where one has to keep track of every certificate on their own and renew it on their own and put the updated certificate on the server on their own and finally restart the appropriate services ... all on their own.
I use the bash script dehydrated to manage my LE certs and the entire process is effortless after setup. I switched to LE last year and haven't even thought once about it since then. It all just works.
Symantec sent out a fudmail to its resellers a few weeks ago claiming that Google was planning to force short expirations on the whole certificate industry, so that Symantec's own 9 month restriction was just an opening shot. It's conceivable that they actually know something, but I'd suggest taking it with your own self-prescribed dosage of salt.
A year to do something that takes a few minutes. If you're keeping track of a certificate so you know when you have one year left to renew, you might as well just use LE and keep track of it so you know when you have one month left to renew. Then just check it a few weeks before it expires to make sure it auto renews.
I'm not discounting the apparent usefulness of purchased certificates as it affects customer perception. But I don't think it's in any way easier than using an automated system.
19 days, 9 days and at the expiry time
Google was in fact pushing to limit certificates to 1 year, but that failed. The maximum validity period will soon be 2 years though: https://www.venafi.com/blog/life-expectancy-shortened-for-ssl-certificates-validity-periods-reduced-to-2-years-by-cab
A cron job running twice a day is suggested by certbot/letsencrypt and many people online to ensure that certificates autorenew. If you're not even following their own recommendations, you deserve to have the issue of your SSL cert expiring.
Even then, run the renew command and everythings fixed. How terrible!
Will not happen.
I was in this situation myself. My cron job was silently failing. Then I received an email from Let's Encrypt warning me about my imminent certificate expiry and I fixed it right away!
https://pastebin.com/vSRdBN5V, my renew cron (Daily). This will renew only when cert have N(30) days before expiration. So, no way for a certificate to be less than 29days and this will work with any version of letsencrypt without doing anything useless, just offline check and renew.