I hate linux. I hate SSL more.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
honey the codewitch wrote:
Certs are a hassle I'd rather not have to deal with ever 90 days.
I've got one 'bought' SSL cert (2 yrs) and two letsencrypt ssl certs. The letsencrypt certs on my windows servers are good for 90 days and are managed automatically by an app/service called certifytheweb. It was a bit tricky getting it working the first time, but since then I haven't had to worry about them for over 2 years now. I'm running a mail server on one of those and recently (2 weeks ago) finally figured out how to export the public/private keys that are required for hMailServer. Now I've just got to learn enough powershell to automate the process! :)
"Go forth into the source" - Neal Morse "Hope is contagious"
-
honey the codewitch wrote:
Certs are a hassle I'd rather not have to deal with ever 90 days.
I've got one 'bought' SSL cert (2 yrs) and two letsencrypt ssl certs. The letsencrypt certs on my windows servers are good for 90 days and are managed automatically by an app/service called certifytheweb. It was a bit tricky getting it working the first time, but since then I haven't had to worry about them for over 2 years now. I'm running a mail server on one of those and recently (2 weeks ago) finally figured out how to export the public/private keys that are required for hMailServer. Now I've just got to learn enough powershell to automate the process! :)
"Go forth into the source" - Neal Morse "Hope is contagious"
I did the let's encrypt thing for a season and found it fiddly. I prefer to have to renew once a year so I went and got a real wildcard as they are pretty cheap today.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
-
Why are certs required? Who's the sheriff?
"A little time, a little trouble, your better day" Badfinger
your browser will default to https these days. sites pretty much have to support SSL.
To err is human. Fortune favors the monsters.
-
your browser will default to https these days. sites pretty much have to support SSL.
To err is human. Fortune favors the monsters.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
You need to go into Options and uncheck the "Screw up randomly" box. Or use
sudo scrwuprnd off;)Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
honey the codewitch wrote:
Maybe some of you know why waving a dead chicken over linux never works, but I don't.
Windows is a proprietary O/S, so waving proprietary dead chickens over it works. Linux is an open-source O/S; you need to open-source your dead chickens. ;) :)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
I have 3000+ domains on IISs behind multiple HAProxyeis and NGinxs. One Windows VM is responsible for the creations and renewal of all certs on all Proxies using custom C#. (Keeps the date of last renew, renews, saves on proxy via SFTP, reloads proxy via SSH) A certificate is renewed every 60 days, if it fails i get warned and have 30 days to solve the problem. It never fails on LetsEncrypt, it is always because the Domain DNSs are wrong or something like that. Commercial/Adminstrative people add or remove clients (domains) at will and i never have to handle any of that. I absolutely love LetsEncrypt. No way i would renew 3000 domains manually. Tip: Don't stop NGinx, just reload it. (i assume certbot will not complain) If something fails on the renew, the site is still up with the old cert.
-
I have 3000+ domains on IISs behind multiple HAProxyeis and NGinxs. One Windows VM is responsible for the creations and renewal of all certs on all Proxies using custom C#. (Keeps the date of last renew, renews, saves on proxy via SFTP, reloads proxy via SSH) A certificate is renewed every 60 days, if it fails i get warned and have 30 days to solve the problem. It never fails on LetsEncrypt, it is always because the Domain DNSs are wrong or something like that. Commercial/Adminstrative people add or remove clients (domains) at will and i never have to handle any of that. I absolutely love LetsEncrypt. No way i would renew 3000 domains manually. Tip: Don't stop NGinx, just reload it. (i assume certbot will not complain) If something fails on the renew, the site is still up with the old cert.
certbot won't run if something is bound to the http ports
To err is human. Fortune favors the monsters.
-
certbot won't run if something is bound to the http ports
To err is human. Fortune favors the monsters.
Ahh. OK. I have only one certbot in a Raspberry PI at home but is running as a service/daemon. I do not remember what i done, but it keeps renewing the cert by it self. Nothing gets added or removed from that PI, so it not a good comparison. But i find strange (a lot) that webserver has to stop to renew the cert. Renewing many sites takes a lot of time and no way the downtime is acceptable. Don't know what it is, but something is up.
-
Ahh. OK. I have only one certbot in a Raspberry PI at home but is running as a service/daemon. I do not remember what i done, but it keeps renewing the cert by it self. Nothing gets added or removed from that PI, so it not a good comparison. But i find strange (a lot) that webserver has to stop to renew the cert. Renewing many sites takes a lot of time and no way the downtime is acceptable. Don't know what it is, but something is up.
Yeah probably ugly, although most larger sites are load balanced so in theory it should be possible to update a node at a time without downtime for a site like that. But I share your confusion as to why the site needs to be stopped.
To err is human. Fortune favors the monsters.
-
So certs are the badge of a secure website and the right to claim "https". That relationship is not obvious. Thanx.
"A little time, a little trouble, your better day" Badfinger
A bit more than that. The https protocol is not just a "label", it's an actual protocol, and the handshaking involves the sharing of the certificate with the requester. So the cert is an integral part of the SSL protocol. No cert, HTTPS doesn't even begin to work.
Telegraph marker posts ... nothing to do with IT Phasmid email discussion group ... also nothing to do with IT Beekeeping and honey site ... still nothing to do with IT
-
your browser will default to https these days. sites pretty much have to support SSL.
To err is human. Fortune favors the monsters.
-
Not sure which browser you're using but Edge, Chrome (unless it was in the update this week), and Firefox don't default to SSL. They do check for a certificate first and then warn you if you're going to an https URL and there's no certificate.
the heck it doesn't. It wants to do it unless i explicitly type http:// in the address bar. I always have to fiddle with that when i'm calling web stuff off an esp32 which doesn't do ssl
To err is human. Fortune favors the monsters.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
I've ad better luck with rubber chickens. :laugh:
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
to answer that question of WHY SSL. Because we need some privacy in what we are doing. Before SSL, every man in the middle knew every search, your passwords to FTP and your email passwords (no ENCODING is not encryption, LOL). So, now only GOOGLE (or your browser) can sell your URL hits if they are not tracked elsewhere (usually by google, fb, etc). This is a step in the right direction. I use apache, and the process (as mentioned elsewhere) is pretty clean. My chief tech automated it years ago, never noticed it. It just works. Thankfully. (Of course my published site is very touchy, you don't get a 404 error. You get firewall BLOCKED for 72hrs, got tired of robo attacks, lol. Oh, outside of the us, it could be a 30 day ban! (99% of my web traffic was simply attack bots checking for phpmysql, etc)). Spend the time to make sure you have the configuration right, and easier to update, it's clearly worth it. But we need SSL. EVERYTHING over the internet should use strong encryption. The fact that we SUCK at it... Is kinda on us... We spend very little time playing with it, and just want it to work.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
why do we need privecy? because years ago someone complained about someone walking around naked, they were chill with it, if you dont want to look thats on you. but nah, all the offended people got together and said, NO, privates should be covered by default we making some laws about it, then everyone like ok and followed along. Its more the 1 person that was taking pictures of other naked people in public, which if they didnt go and share it out with everone else, probably would have been an issue, but they did, and complaints were made. the real annoying part is when its your own local home and its still like no, you gotta go extra steps if want to be un clothed here. but I own this, I know this place, its okay. No your password for localhost appears on a leak list, imma be dumb and not filter out admin admin for localhost
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
I'm annoyed by Linux for similar reasons. It's a lot of hacks on hacks, a lot of accepting the status quo as how things must be instead of taking a huge step back & re-evaluating whether the present behavior really is the best platform to build the future upon. However, do you really have to deal with it every 90 days yourself? Meaning, can't you schedule that stuff (assuming there's no more troubleshooting involved)?
