rutaj6 Posted August 4, 2017 Posted August 4, 2017 Hi,I was just looking through many certification authorities and just came across one named Let's Encrypt. Its the first and supposedly the only free CA. Just a suggestion for root admins, you can have a look, because their SSL certificates are obviously more widely accepted than self-signed ones. So, if you feel its ok, then installing their certbot client would provide all users of HelioHost free SSL certificates which almost all browsers would accept without showing a security error. LetsEncrypt CA: https://letsencrypt.org/Certbot: https://certbot.eff.org/ I have started availing their certificates via a website https://sslforfree.com, but the only problem is that all certificates are valid for only 90 days and they don't have a auto-renew feature.
wolstech Posted August 4, 2017 Posted August 4, 2017 We've known about this. It's been around for a while. In fact, we have a Wiki article on it: http://wiki.helionet.org/Installing_a_Let%27s_Encrypt_SSL_Certificate Also, if you use Tommy, that server has AutoSSL. It hands out free DV (domain verification) SSL certificates from Comodo to every domain on the server, and renews them automatically as they expire.
rutaj6 Posted August 4, 2017 Author Posted August 4, 2017 We've known about this. It's been around for a while. In fact, we have a Wiki article on it: http://wiki.helionet.org/Installing_a_Let%27s_Encrypt_SSL_Certificate Also, if you use Tommy, that server has AutoSSL. It hands out free DV (domain verification) SSL certificates from Comodo to every domain on the server, and renews them automatically as they expire.I know that but for some reason those certificates are not accepted by browsers (even those that support SNI). All my domains which had certificates from Comodo gave a security error when trying to access them with the https protocol!The free certificates provided by Comodo are valid for 90 days and you cannot renew those again for free! After 90 days, they have to be bought. The error: NET::ERR_CERT_AUTHORITY_INVALID
wolstech Posted August 4, 2017 Posted August 4, 2017 (edited) Let's see what he says, but I'm going to assume it's developershub.tk seeing that's the only domain on his account. For what it's worth, that domain works properly for me. The free certificates provided by Comodo are valid for 90 days and you cannot renew those again for free! After 90 days, they have to be bought. Only the ones through Comodo's website do this. The cPanel-issued ones don't have that limitation and should renew on their own when they reach 15 days from expiration. EDIT: I may need to stand corrected here...mine expired yesterday without me knowing, though it says it will renew via AutoSSL? Edited August 5, 2017 by wolstech
Krydos Posted August 4, 2017 Posted August 4, 2017 Let's see what he says, but I'm going to assume it's developershub.tk seeing that's the only domain on his account.That domain isn't even hosted by us https://bybyron.net/php/tools/dns_records.php?domain=developershub.tk&rec=A
rutaj6 Posted August 4, 2017 Author Posted August 4, 2017 Let's see what he says, but I'm going to assume it's developershub.tk seeing that's the only domain on his account. For what it's worth, that domain works properly for me. I was referring to royalsdestiny.tk.Developershub.tk is hosted on elsewhere and its SSL is also provided by them. I have changed the main domain to thet because a subdomain, backend.developershub.tk is hosted on heliohost.And also, i have changed the default SSL certificates and installed new ones from LetsEncrypt but those will expire in 90 days(obviously).You can try checking with a different website which uses the comodo certificate with google chrome, thats the combination I was using when I got the security error(repeatedly). I have uninstalled the letsencrypt certificate from royalsdestiny and have re-installed the self-signed ones from Comodo. You can see the error at https://www.royalsdestiny.tk
wolstech Posted August 4, 2017 Posted August 4, 2017 I have uninstalled the letsencrypt certificate from royalsdestiny and have re-installed the self-signed ones from Comodo. You can see the error at https://www.royalsdestiny.tk If it's self-signed (which it is, I just checked), its not an AutoSSL certificate. Your problem is that AutoSSL hasn't run yet or skipped it (likely, seeing it will ignore domains with LE certs installed). A valid AutoSSL certificate will be issued by "cPanel Inc. Certification Authority". Krydos can force it to run on your domain so you get a proper certificate. Be aware that .htaccess sometimes prevents it from working (the system creates a special file that needs to be reachable by Comodo's servers). Escalating.
Krydos Posted August 4, 2017 Posted August 4, 2017 I've been experimenting with autossl providers for the last couple days so it's currently set to Let's Encrypt not Comodo, but I forced it to run on your domain: https://royalsdestiny.tk https://www.sslshopper.com/ssl-checker.html#hostname=royalsdestiny.tk
wolstech Posted August 5, 2017 Posted August 5, 2017 (edited) Noticed this tonight...a bunch of my AutoSSL certs expired 8/4 ("yesterday" UTC) and only some renewed. Is this because of the testing you've been doing (I know LE's limits are stupidly low)? Edited August 5, 2017 by wolstech
Krydos Posted August 5, 2017 Posted August 5, 2017 I think since we enabled autossl when there were already a lot of accounts on Tommy they all had their certificates updated right around 90 days ago. https://www.helionet.org/index/topic/28033-autossl/ I noticed that the comodo queue was kind of backed up and it was hit or miss on which autossl certificates were getting updated. I switched to LE to try to clear out some more of the queue. I know we'll hit the rate limits on LE, but it appears Comodo must have some rate limits too. I've contacted cpanel to ask them about it, but so far none of them want to admit to there being any rate limits. When LE gets maxed out I'll switch back to Comodo and see if that will take care of some more. Worst case scenario we disable autossl for everyone, and make it a requested feature. I manually ran LE autossl on rax2 and it picked up a lot of missing/expired certificates.
rutaj6 Posted August 5, 2017 Author Posted August 5, 2017 By the way, just updating, I'm changing back all my SSL certificates to the ones from LE which I got myself!Thanks a lot for the help.. best of luck sorting out the autoSSL problems!
Recommended Posts