Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Code Project
  1. Home
  2. The Lounge
  3. Thoughts on Let's Encrypt for SSL

Thoughts on Let's Encrypt for SSL

Scheduled Pinned Locked Moved The Lounge
sysadminwindows-admincloudsecurityhelp
23 Posts 13 Posters 1 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M mmwlada

    I use it on QNAP NAS, client site (Linux) and personal usage (Windows). And it works without any issues. Auto renewal is awesome. However, you can not get OV or EV certificate from Let's Encrypt.

    There can be only one.

    Richard DeemingR Offline
    Richard DeemingR Offline
    Richard Deeming
    wrote on last edited by
    #11

    EV certs aren't much use these days anyway. :) Troy Hunt: Extended Validation Certificates are Dead[^] Troy Hunt: PayPal's Beautiful Demonstration of Extended Validation FUD[^]


    "These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer

    "These people looked deep within my soul and assigned me a number based on the order in which I joined" - Homer

    1 Reply Last reply
    0
    • N n podbielski

      I am using Certify The Web and max renewal time span is 60 days. What software do you using?

      No more Mister Nice Guy... >: |

      M Offline
      M Offline
      Marc Clifton
      wrote on last edited by
      #12

      n.podbielski wrote:

      What software do you using?

      I wrote my own service that checks whether the cert needs to be renewed and then launches a wrapper that provides the command line parameters to GitHub - oocx/acme.net: A .net implementation of ACME (Automatic Certificate Management Environment)[^] In some cases, I embed the check in the web server itself so I don't need a separate service. [edit] Richard's post on PKISharp is definitely on my list to investigate! [/edit] Marc

      Latest Article - A 4-Stack rPI Cluster with WiFi-Ethernet Bridging Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny Artificial intelligence is the only remedy for natural stupidity. - CDP1802

      N 1 Reply Last reply
      0
      • K kmoorevs

        I'm getting a new Azure VM ready to host several web apps and am to the point of getting an SSL cert for it. It appears that Let's Encrypt requires renewals more frequently than a 'store bought' ssl but that the renewal can be automated. I might be able to live with that. Anyhow, to the point...anyone here using let's encrypt? Anyone had issues with it? Usually there is a reason things are free...limitations and such. Thanks for any suggestions/thoughts. :) Edit: 4 hours later after receiving some encouraging reviews and I can't get it working! Using a GUI tool called certify, I got a cert installed easily, but no joy on connecting via https...now giving a dns error. (INET_E_RESOURCE_NOT_FOUND) The certs (I now have 3 from trying different configurations to get it to work) appear to be valid on the server. The bindings appear to be correct as well. IIS 10 on Server 2016 if it matters. I'd hate to find out that my ISP's cable modem is blocking 443...probably not, but I'm running out of reasons why this won't work. wte would dns have to do with it...the sites show up fine with http, but not https.

        "Go forth into the source" - Neal Morse

        P Offline
        P Offline
        Peter R Fletcher
        wrote on last edited by
        #13

        I use it for 2 sites hosted on a commercial ISP. Unfortunately, the ISP does not support autorenewal (they want you to buy certificates from their provider), but the process of updating the certificates (using certbot-auto on a Debian VM) every 2.5 months takes about half an hour of my time from start to finish, and the cost/benefit versus paying for commercial ones seems worthwhile. I have not encountered any issues.

        1 Reply Last reply
        0
        • M Marc Clifton

          Let's encrypt is awesome. It requires renewal every 3 months, which I have automated. Not using Azure though, so no experience with LE and Azure. You may or may not find my article useful: Self-Hosting Multiple HTTPS Websites in IIS with SNI and LetsEncrypt Certificates[^]

          Latest Article - A 4-Stack rPI Cluster with WiFi-Ethernet Bridging Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny Artificial intelligence is the only remedy for natural stupidity. - CDP1802

          K Offline
          K Offline
          kmoorevs
          wrote on last edited by
          #14

          Thanks for the link for Self-Hosting. :thumbsup: I used another GUI (certify) and everything seemed to go well...the cert shows active with 89 days, the .well-known folder was created, the tests all passed, the certs show up in IIS, bindings seem to be good....still not getting websites to work with https. :confused: What I've done: 0: verified that my ISP is not blocking incoming on 443. 1: Added a port forwarding rule in my home/office router for 443 to the server's internal IP. 2: Tried various binding configurations in IIS. 3: Stopped and restarted the webserver via IIS after changes. 4: Checked my DNS/routing records at the domain registrar...doesn't seem to be anything I need to change here. 5: Googled for most of yesterday and this morning looking for some obvious stupid thing that I have overlooked. 6: Tried using tracert, but it won't work with a protocol in the hostname All I'm getting when I try to access anything using https is 'can't reach this page...temporary dns error...error code (INET_E_RESOURCE_NOT_FOUND)'. On a lighter note, I agree wholeheartedly with the idea of self-hosting and have been doing it for my small company for over 15 years. :)

          "Go forth into the source" - Neal Morse

          1 Reply Last reply
          0
          • A Andreas Mertens

            I use both in Azure and in hosted on-site websites with no problems. The biggest issue in Azure is getting the renewal automated, which requires that your website has a service level of "always on" to run the renewal web job when necessary. I found the following link quite useful: ["Let's Encrypt" Azure Web Apps the Free and Easy Way | GoorooThink Tech News | Articles | Skills Analytics | Gooroo](https://gooroo.io/GoorooTHINK/Article/16420/Lets-Encrypt-Azure-Web-Apps-the-Free-and-Easy-Way/20047#.XPk4h3dFxhF)

            F Offline
            F Offline
            fatman45
            wrote on last edited by
            #15

            How did you automate the renewal process? I also have been using LetsEncrypt successfully in both on-prem servers and Azure VMs (dev and test servers). But every 3 months I have to go through the hassle of manually renewing.

            Da Bomb

            M A 2 Replies Last reply
            0
            • F fatman45

              How did you automate the renewal process? I also have been using LetsEncrypt successfully in both on-prem servers and Azure VMs (dev and test servers). But every 3 months I have to go through the hassle of manually renewing.

              Da Bomb

              M Offline
              M Offline
              Mike Marynowski
              wrote on last edited by
              #16

              This works well: GitHub - PKISharp/win-acme: win-acme - A Simple ACME Client for Windows (for use with Let's Encrypt)[^]

              Blog: [Code Index] By Mike Marynowski | Business: Singulink

              F 1 Reply Last reply
              0
              • M Mike Marynowski

                This works well: GitHub - PKISharp/win-acme: win-acme - A Simple ACME Client for Windows (for use with Let's Encrypt)[^]

                Blog: [Code Index] By Mike Marynowski | Business: Singulink

                F Offline
                F Offline
                fatman45
                wrote on last edited by
                #17

                Thanks!

                Da Bomb

                1 Reply Last reply
                0
                • K kmoorevs

                  I'm getting a new Azure VM ready to host several web apps and am to the point of getting an SSL cert for it. It appears that Let's Encrypt requires renewals more frequently than a 'store bought' ssl but that the renewal can be automated. I might be able to live with that. Anyhow, to the point...anyone here using let's encrypt? Anyone had issues with it? Usually there is a reason things are free...limitations and such. Thanks for any suggestions/thoughts. :) Edit: 4 hours later after receiving some encouraging reviews and I can't get it working! Using a GUI tool called certify, I got a cert installed easily, but no joy on connecting via https...now giving a dns error. (INET_E_RESOURCE_NOT_FOUND) The certs (I now have 3 from trying different configurations to get it to work) appear to be valid on the server. The bindings appear to be correct as well. IIS 10 on Server 2016 if it matters. I'd hate to find out that my ISP's cable modem is blocking 443...probably not, but I'm running out of reasons why this won't work. wte would dns have to do with it...the sites show up fine with http, but not https.

                  "Go forth into the source" - Neal Morse

                  D Offline
                  D Offline
                  DerekT P
                  wrote on last edited by
                  #18

                  I use Let's Encrypt on my hosted sites, which run on shared Windows hosts under Plesk. No problems with the certificate per se, but Plesk's renewal process is a pain. It seems to involve installing files on a specific sub-folder and verifying those files by making a non-encrypted http request. This is a pain as the sites are configured to auto-redirect any insecure requests to the https: protocol, so these verification requests fail (as they don't accept a redirect as a valid response). To complicate matters further, many of my sites require authentication on all pages (apart from the login form) so again the verification request fails. I can get around this by explicitly removing authentication for the relevant subfolder, but the automatic redirect to https is more of a pain and I'm finding I have to manually disable this temporarily, manually issue a renew request, then reinstate the redirect. I suspect this is more of a Plesk issue than LetsEncrypt, but it all adds to the hassle. That said, I have some sites that now run on https that I probably wouldn't have bothered with had I had to buy SSL certs (they're hobby sites essentially).

                  K 1 Reply Last reply
                  0
                  • F fatman45

                    How did you automate the renewal process? I also have been using LetsEncrypt successfully in both on-prem servers and Azure VMs (dev and test servers). But every 3 months I have to go through the hassle of manually renewing.

                    Da Bomb

                    A Offline
                    A Offline
                    Andreas Mertens
                    wrote on last edited by
                    #19

                    I had the same problem at first. You have to select a Azure subscription level that won't shut down the WebJob that does the renewal. If I remember right, when you go to the web job you will probably get a warning about this, and give you the option to update your subscription. Once you do that you should have no more issues with this.

                    1 Reply Last reply
                    0
                    • M Marc Clifton

                      n.podbielski wrote:

                      What software do you using?

                      I wrote my own service that checks whether the cert needs to be renewed and then launches a wrapper that provides the command line parameters to GitHub - oocx/acme.net: A .net implementation of ACME (Automatic Certificate Management Environment)[^] In some cases, I embed the check in the web server itself so I don't need a separate service. [edit] Richard's post on PKISharp is definitely on my list to investigate! [/edit] Marc

                      Latest Article - A 4-Stack rPI Cluster with WiFi-Ethernet Bridging Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny Artificial intelligence is the only remedy for natural stupidity. - CDP1802

                      N Offline
                      N Offline
                      n podbielski
                      wrote on last edited by
                      #20

                      Marc Clifton wrote:

                      GitHub - oocx/acme.net:

                      I see this is just a some hobby project.

                      Marc Clifton wrote:

                      PKISharp

                      I probably would have to create my own certificate installer for OS and IIS right? For now Let's Encrypt doing this for me :)

                      Marc Clifton wrote:

                      Richard's post on PKISharp is definitely on my list to investigate!

                      Do you have a link?

                      No more Mister Nice Guy... >: |

                      M 1 Reply Last reply
                      0
                      • N n podbielski

                        Marc Clifton wrote:

                        GitHub - oocx/acme.net:

                        I see this is just a some hobby project.

                        Marc Clifton wrote:

                        PKISharp

                        I probably would have to create my own certificate installer for OS and IIS right? For now Let's Encrypt doing this for me :)

                        Marc Clifton wrote:

                        Richard's post on PKISharp is definitely on my list to investigate!

                        Do you have a link?

                        No more Mister Nice Guy... >: |

                        M Offline
                        M Offline
                        Marc Clifton
                        wrote on last edited by
                        #21

                        That link to acme.net has a command line option to update IIS. Works quite well. Perusing the source, it's definitely not a hobby project, imo. :)

                        Latest Article - A 4-Stack rPI Cluster with WiFi-Ethernet Bridging Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny Artificial intelligence is the only remedy for natural stupidity. - CDP1802

                        N 1 Reply Last reply
                        0
                        • M Marc Clifton

                          That link to acme.net has a command line option to update IIS. Works quite well. Perusing the source, it's definitely not a hobby project, imo. :)

                          Latest Article - A 4-Stack rPI Cluster with WiFi-Ethernet Bridging Learning to code with python is like learning to swim with those little arm floaties. It gives you undeserved confidence and will eventually drown you. - DangerBunny Artificial intelligence is the only remedy for natural stupidity. - CDP1802

                          N Offline
                          N Offline
                          n podbielski
                          wrote on last edited by
                          #22

                          Marc Clifton wrote:

                          Perusing the source, it's definitely not a hobby project, imo.

                          From github:

                          Quote:

                          This project is work in progress. It works, but probably still has many bugs and needs more testing. If you are just looking for a Let's Encrypt client or a more mature project, then you should take a look at these projects:

                          For me looks like hobby project. I am not saying that it not works. Description from the author sends a signal: 'do not use it at home' :)

                          No more Mister Nice Guy... >: |

                          1 Reply Last reply
                          0
                          • D DerekT P

                            I use Let's Encrypt on my hosted sites, which run on shared Windows hosts under Plesk. No problems with the certificate per se, but Plesk's renewal process is a pain. It seems to involve installing files on a specific sub-folder and verifying those files by making a non-encrypted http request. This is a pain as the sites are configured to auto-redirect any insecure requests to the https: protocol, so these verification requests fail (as they don't accept a redirect as a valid response). To complicate matters further, many of my sites require authentication on all pages (apart from the login form) so again the verification request fails. I can get around this by explicitly removing authentication for the relevant subfolder, but the automatic redirect to https is more of a pain and I'm finding I have to manually disable this temporarily, manually issue a renew request, then reinstate the redirect. I suspect this is more of a Plesk issue than LetsEncrypt, but it all adds to the hassle. That said, I have some sites that now run on https that I probably wouldn't have bothered with had I had to buy SSL certs (they're hobby sites essentially).

                            K Offline
                            K Offline
                            kmoorevs
                            wrote on last edited by
                            #23

                            Thanks for the response! I've spent several hours trying to get https to work on an in-house web server that hosts our secondary website and multiple customer web applications. It still doesn't work. :sigh: I was trying it (let's encrypt) out locally before I put it on a new Azure VM that will most likely take over most of the customer web apps. Anyhow, I decided to try a different ACME tool on the new server and in < 10 minutes, had it working! My goal was to have the new server ready by Monday so it's mission accomplished! :) I suppose I'll find out about renewal issues in a few months. :laugh: I've been running my company's secondary website and customer web apps without a cert for around 15 years. Nobody ever complained until chrome started showing the 'Not secure' tag...I think they have plans to make that tag more prominent in future versions. At any rate, I am grateful to the open source community and especially let's encrypt for providing this solutions for free ssl. :thumbsup:

                            "Go forth into the source" - Neal Morse

                            1 Reply Last reply
                            0
                            Reply
                            • Reply as topic
                            Log in to reply
                            • Oldest to Newest
                            • Newest to Oldest
                            • Most Votes


                            • Login

                            • Don't have an account? Register

                            • Login or register to search.
                            • First post
                              Last post
                            0
                            • Categories
                            • Recent
                            • Tags
                            • Popular
                            • World
                            • Users
                            • Groups