New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@hotsnow Got OCSP stapling working yet?
no, the ssl_trusted_certificate have no effect on the wosign ssl, although working well with comodo ssl
ps: use the ssl_stapling_file is ok on the wosign ssl
Sorry for bumping this.
I've tried to read the terms of service of this, and I can't find any particular points about the free SSL offer. Do you know if I can use these certificates on commercial sites?
Yes sure
Sure you can use that for commercial site, but personally I prefer using positivessl or rapid ssl for commercial site.
For the insurance and so? Probably I don't need that hehe.
But, in the worst case, probably getting these freebies revoked won't be possible.
While waiting EFF lets encrypt, this free SSL is best alternative. Try run sslabs few times, sometime it will shown revocation status: not trusted
no, not about insurance but because not browser support these cert . And that the other reason, no easy way to revoke after cert created.
They are cross signed by StarCom, so browser support is excellent. Revocation is supported too IIRC, but I have not actually used it.
Anyone else which had the problem that he/she had to do phone verification? I've "ordered" a second certificate recently and now I'm struggling with retrieving the issued certificate. When I login to my account and click "Retrieve certificate" (Google Translator), I get a page which tells me to link my account to my mobilephone number for security reasons, as I didn't login by certificate.
So I've ordered a free email certificate and expected that I'd be able to sign in with that certificate, but certificate login fails here. And the phone verification also doesn't work here. Any other ideas?
@NeoXiD I can't even download the cert collection they send via email.
But now I'm putting all my websites under CloudFlare because of receiving DDOS attack from yesterday. And CloudFlare SSL (strict) doesn't accept their certs.
via email? they just send link via email and open that link in browser to download cert.
I've got all the verification emails and such, but I didn't get an email for my second certificate. The status is now "Issued, waiting for retrieval" but that doesn't work, as the phone verification just doesn't send that SMS and certificate login fails too.
I meant they sent the link to download cert collection via email. After entering the verification text, click Retrieve, it just reloads the page.
Remember if you use a stapling file you need to update your stapling file repeatedly. 1hr-48hrs is often used as a expiration time.
If you don't specify a file, for example with nginx without a stapling file, nginx then makes the ocsp query for you (and manages) it your initial startup, reload and the odd request will be very slow. If the ocsp server is ever down you will be unable to startup or reload nginx (be careful!)
I think you have a point here. I just wanted to update my stapling file here's the result I got:
And when the second time I ran it,
It's valid for 2 days OK. But if I were to run it every 48 hours I might encounter some errors it seems.
@comXyz, @NeoXid I just got another cert few minutes ago, I was able to download files.
Yeah, sometimes their server unreachable/slow as hell. I usually visit their website using proxy from SG
I do not trust him
Here's a screenshot of my current situation:
Quite a few OCSP servers from outside of the standard "large" ssl certificate providers are a bit dicky at times. And even the "large" providers have the odd issue. My recommendations (derived from the development of the system of OCSP stapling we use at X4B) -
Dont assume your expiration time will be the same as you request, there is a maximum often enforced and it differs per CA (and may change).
Check the validity of your OCSP response regularly (atleast once an hour), if its close to expiring update it before it does to prevent issues when it does expire (i.e if it fails at the last minute).
Never request an OCSP to be too long, otherwise if a revocation is needed it will take too long to take effect. One day is the longest I would feel comfortable with.
For security reasons be sure to no-once your responses. Many of the online examples skip this step. You should also re-spin not re-request the OCSP response. If re-spin fails, only then try a re-request.
Always check the response you receive.
Be prepared for failures and unexpected errors.
I hope this helps.
download didnt work for another cert for me some days ago... now worked fine. Tried to contact support but got no reply, good it worked now.
instead downloading, you can copy paste certificate from https://buy.wosign.com/MemberUser/
Thanks a lot! If anyone else faces a similar problem - you have to click on the "Order ID" which will then take you to the page which @tommy had shown above. There I was able to grab my certificate.
Just tried to get a free certificate, but it refused to accept 'pdf.yt' as a valid domain. So I tried to use live chat, and this happened:
... yeah, perhaps I should just stick with Startcom for now.
we still able to get 3 year, but not free. free only for 1st year
"For Free SSL Certificate, it only support one domain name; but you can add more domains that each domain will be charged US$1.99 per year. The difference between the Free SSL Certificate and charged DV SSL Certificate is the issuer, the Free SSL issuer is “WoSign CA Free SSL Certificate G2”, but the charged SSL issuer is “WoSign Class 1 DV Server CA G2”.
I'm just trying this out for myself and indeed any extra year or domain is charged.
Yea, they charge for that now - I did however create like 10 certs over the weekend and could not be more happy: Free & Done in under 5min per cert with automated delivery.
Exactly. I don't see a issue here. You can still get unlimited free one domain SSL certs. And once the main domain is validated subdomain certs are issued automatically after the CSR paste.
This is still 100x better than StartSSL directly.
How's the browser support? I'm just making an English one for a piwik subdomain.
Yep, they had some issues with email delivery for the DV before, the captcha was not really stable and the interface half chinese - This seems all fixed now, the DV mails arrive even faster than Comodo/Rapidssl (1-2min vs. 5-15min).
For free service really nothing to complain about, sure SSLs are only like 4$ but 4$ saved are 4$ saved (thats like a big mac depending on country) and security is entirely the same - Not like you give the Chinese your key and even if end-users revoke Chinese CAs the fallback to StartSSL (which is Israel but eh) works still fine.