I hate linux. I hate SSL more.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
I had similar setup with certbot nginx and several services spanning 3 machines. There are some hickups from time to time but mostly it works. Surprisingly because it is not like I am linux admin.
No more Mister Nice Guy... >: |
-
honey the codewitch wrote:
Maybe some of you know why waving a dead chicken over linux never works, but I don't.
Windows is a proprietary O/S, so waving proprietary dead chickens over it works. Linux is an open-source O/S; you need to open-source your dead chickens. ;) :)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
...also, which dead chicken you use is dependent on your distro. When in doubt, you may have to try all 500+ of them... but try them quickly. The longer you wait, the more seem to hatch! :-D
-
I can probably automate it now that it's fixed but I am concerned about the issues that I had to troubleshoot or similar cropping up again and maybe blowing up my site when I'm not around, so my other plan was to maybe have it send me mail just before I need to renew but I don't have qmail installed or anything like that. I have other issues currently that are making demands on my time so I haven't fiddled with it. I figure I have about 80 days to come up with something. :)
To err is human. Fortune favors the monsters.
I find your experience very weird. Especially since you think everything needs to be unbound from http port before you can use certbot. The whole *point* of certbot is that it checks to see if the machine it is running on is the machine that it can reach a http site at... Therefore, they know who it is that requested the certificate. FWIW, I have a bit of trouble with certbot because my default firewall configuration blocks http to internet, so I have to whitelist the port, run certbot, and unwhitelist every three months. Takes literally 5 seconds. I don't know what you're doing, but "it works on my machine"! BTW, please don't blame Linux for what is clearly a certbot problem. :) Remember, Linux is fragmented, so there are many many good softwares and designs that you use on Linux constantly without realizing, and only a few that are bad. It's not all one giant corporation putting out completely bad stuff.... or updating constantly to provide new icon sets.
-
I find your experience very weird. Especially since you think everything needs to be unbound from http port before you can use certbot. The whole *point* of certbot is that it checks to see if the machine it is running on is the machine that it can reach a http site at... Therefore, they know who it is that requested the certificate. FWIW, I have a bit of trouble with certbot because my default firewall configuration blocks http to internet, so I have to whitelist the port, run certbot, and unwhitelist every three months. Takes literally 5 seconds. I don't know what you're doing, but "it works on my machine"! BTW, please don't blame Linux for what is clearly a certbot problem. :) Remember, Linux is fragmented, so there are many many good softwares and designs that you use on Linux constantly without realizing, and only a few that are bad. It's not all one giant corporation putting out completely bad stuff.... or updating constantly to provide new icon sets.
i will blame linux for having to %$#*)@ around with systemd far more than i ever should have to fix the problem.
To err is human. Fortune favors the monsters.
-
to answer that question of WHY SSL. Because we need some privacy in what we are doing. Before SSL, every man in the middle knew every search, your passwords to FTP and your email passwords (no ENCODING is not encryption, LOL). So, now only GOOGLE (or your browser) can sell your URL hits if they are not tracked elsewhere (usually by google, fb, etc). This is a step in the right direction. I use apache, and the process (as mentioned elsewhere) is pretty clean. My chief tech automated it years ago, never noticed it. It just works. Thankfully. (Of course my published site is very touchy, you don't get a 404 error. You get firewall BLOCKED for 72hrs, got tired of robo attacks, lol. Oh, outside of the us, it could be a 30 day ban! (99% of my web traffic was simply attack bots checking for phpmysql, etc)). Spend the time to make sure you have the configuration right, and easier to update, it's clearly worth it. But we need SSL. EVERYTHING over the internet should use strong encryption. The fact that we SUCK at it... Is kinda on us... We spend very little time playing with it, and just want it to work.
Yeah, all of this. Although once traffic is "on the inside" I think people do tend to keep it SSL and this is probably a little bit bad/irrelevant/overkill. Encryption/decryption doesn't come for free. Let the API gateways/load balancers handle it. My mouth stood agape at a line in Microsoft docs recently for a specific kind of containerization on Azure where they say applications don't have to and should not implement SSL. I have to think their thinking is much like the sentiment above. However, it IS maybe a notably different animal to be able to sniff your own traffic.
-
Yeah, all of this. Although once traffic is "on the inside" I think people do tend to keep it SSL and this is probably a little bit bad/irrelevant/overkill. Encryption/decryption doesn't come for free. Let the API gateways/load balancers handle it. My mouth stood agape at a line in Microsoft docs recently for a specific kind of containerization on Azure where they say applications don't have to and should not implement SSL. I have to think their thinking is much like the sentiment above. However, it IS maybe a notably different animal to be able to sniff your own traffic.
Agreed, but remember that for DECADES our poor practices at protecting thing (Storing passwords clear text in DBs associated with the users, shoving them in COOKIES (OMG) as opposed to some GUID), and thinking we can ADD security later. You know, like we can ADD performance Later... (Every project I've seen with that attitude suffered massive performance issues. You DESIGN for performance, you implement with care. If speed is important, then it's part of the CONTRACT and TRACING). If Security is remotely important. It's got to be part of the contract. And in todays world. Let's ASSUME that a LACK of security is a NON-STARTER. The tools are getting easier/better. But people still not understanding which is the PRIVATE KEY and which is the PUBLIC KEY is getting old. (of course calling them both key files, and sometimes .key or no extension doesn't help, but the .pub should be pretty obvious). --> We've come a VERY LONG way since the 1940s (Pre-Fortran). C, C++ (Objects), (Frameworks), and more! I have hope!
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
It is a principle in cryptography that only encrypting 'what is important' just tells adversaries what to focus on. It gives them valuable information that they would not otherwise have, and the last thing you want to give adversaries is any information. Cheers, Russ
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
Agreed. Linux is a POS based on something which was cool in 1968. However, I don't have a beard down to my balls, and I don't wear sandals, so...
-
honey the codewitch wrote:
Maybe some of you know why waving a dead chicken over linux never works, but I don't.
Windows is a proprietary O/S, so waving proprietary dead chickens over it works. Linux is an open-source O/S; you need to open-source your dead chickens. ;) :)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
Waving dead chickens over windows works but with Linux you must use a dead penguin. :laugh:
-
The 90 day renewal is what LetsEncrypt uses for free certificates. You can purchase a certificate that last up to two years. There are multiple reasons certificates expire, from ensuring it doesn't get used by someone else after your site is gone to ensuring the certificate itself is resistant to brute force decryption attacks.
One small correction - browsers don't accept certificates that are valid longer than 1 year.
-
honey the codewitch wrote:
Certs are a hassle I'd rather not have to deal with ever 90 days.
I've got one 'bought' SSL cert (2 yrs) and two letsencrypt ssl certs. The letsencrypt certs on my windows servers are good for 90 days and are managed automatically by an app/service called certifytheweb. It was a bit tricky getting it working the first time, but since then I haven't had to worry about them for over 2 years now. I'm running a mail server on one of those and recently (2 weeks ago) finally figured out how to export the public/private keys that are required for hMailServer. Now I've just got to learn enough powershell to automate the process! :)
"Go forth into the source" - Neal Morse "Hope is contagious"
I tried other stuff to have IIS/Windows autorenew (wildcard) - but not CertifyTheWeb - I will try it out and if it works I am going to owe you a beer. If not I will just keep on drinking myself :)
-
I tried other stuff to have IIS/Windows autorenew (wildcard) - but not CertifyTheWeb - I will try it out and if it works I am going to owe you a beer. If not I will just keep on drinking myself :)
-
why do we need privecy? because years ago someone complained about someone walking around naked, they were chill with it, if you dont want to look thats on you. but nah, all the offended people got together and said, NO, privates should be covered by default we making some laws about it, then everyone like ok and followed along. Its more the 1 person that was taking pictures of other naked people in public, which if they didnt go and share it out with everone else, probably would have been an issue, but they did, and complaints were made. the real annoying part is when its your own local home and its still like no, you gotta go extra steps if want to be un clothed here. but I own this, I know this place, its okay. No your password for localhost appears on a leak list, imma be dumb and not filter out admin admin for localhost
Maze, You are clearly missing the point. Did you know the IRS has a rule that they can use ILLEGALLY Obtained information against you? I used to be you! (Since I don't break the law, what do I care!) Here is the simplest example. Given JUST the data the government admits it collects from Cellphone data... I can geofence rich neighborhoods, and houses, and EXPENSIVE hotels nearby. I can now calculate who is having affairs. Where they live, who they are having the affair with. Where both people work and live. In Bulk, in MINUTES. Now, I knock on your door, and I confront you, and suggest your wife need not know, if you DONATE a reasonable sum to my political campaign, or whatever. (Having an affair is NOT ILLEGAL). Being extorted is. But you are powerless. BTW, they know enough to destroy your career. (FWIW, I've seen this very tactic, and years long legal fees sponsored by our own government used). How about framing you for a crime you did not commit. But they used your cellphone data (In advance of trumping up the charges to put you in the area, where they knew you had no alibi). This data can be used to solve crimes, or to implicate people. Our constitution is SUPPOSED to protect us. It does not! Because they don't have to WIN the lawsuit. The person I know, did NOT lose the case. But they lost MILLIONS and had to step down from their position. And how about CA... They "accidentally" published FULL ID information on all concealed carry people (I think in one county). Addresses, DOBs, License #s, and type of weapon. Think LONG AND HARD... Would you be comfortable knowing that ALL of the information about you, that is stored on your computer, in your emails, including Bank Account #s, ids, ssn, etc. Were available for sale? Along with your Cell Phone data?
-
Agreed, but remember that for DECADES our poor practices at protecting thing (Storing passwords clear text in DBs associated with the users, shoving them in COOKIES (OMG) as opposed to some GUID), and thinking we can ADD security later. You know, like we can ADD performance Later... (Every project I've seen with that attitude suffered massive performance issues. You DESIGN for performance, you implement with care. If speed is important, then it's part of the CONTRACT and TRACING). If Security is remotely important. It's got to be part of the contract. And in todays world. Let's ASSUME that a LACK of security is a NON-STARTER. The tools are getting easier/better. But people still not understanding which is the PRIVATE KEY and which is the PUBLIC KEY is getting old. (of course calling them both key files, and sometimes .key or no extension doesn't help, but the .pub should be pretty obvious). --> We've come a VERY LONG way since the 1940s (Pre-Fortran). C, C++ (Objects), (Frameworks), and more! I have hope!
You likely have a few more grey hairs than I. But I did write some Fortran... in high school. It should be relatively easy to make something configured only for SSL work without it. It's removing complexity vs adding it. Mostly that complexity is abstracted from the developer into configuration details with libraries and frameworks handling the nitty gritty of hand shakes and certificates. In most cases, I'd guess the developer need only do configurational things and provide appropriate files. "Only"... heh. It is the case that some recent work was approached in just that way which is why I'm aware of the contextual "no don't do SSL" from Microsoft. Performance is a tricky thing. I don't disagree about designing with it in mind, but I might be wary of getting terribly caught up in "pre-optimization". It's maybe sometimes easier to see what needs the most grease once the machine is running. My gut says it tends less to be that things weren't designed with performance in mind. The modern development practice of trying to reuse every wheel possible while creating as few purpose built ones as one can get away with? We had a frame, wheels, chain, gear, and pedals so we rather efficiently glue them all together in Henry Ford fashion. But then we find we are riding a 1-speed bike up a hill. Moore's law and related meant we got way more resources than we needed and we leveraged them. Perfection took a far back seat to productivity. Regardless of where that falls on one's bad<->understandable<->good line, it does mean that a sizeable majority have never had to think very much about it at all.
-
trying to renew my cert should have taken 3 lines
sudo systemctl stop nginx
sudo certbot renew
sudo systemctl start nginxInstead, the thing refused to stop and took over an hour to troubleshoot. And this is basically par for the course with these systems. Particularly linux distros. I'm so over it. I want to like open source, but sometimes it seems rickety. Also, why the heck do we need to encrypt all web traffic these days? Certs are a hassle I'd rather not have to deal with ever 90 days. Sorry guys. Just venting over here. Maybe some of you know why waving a dead chicken over linux never works, but I don't.
To err is human. Fortune favors the monsters.
Just wondering how/if this is a linux specific problem, and not just a certbot problem (or something else)? Would the same [equivalent] steps have worked any better on Windows? Pictures of error messages, please "or it didn't happen ™". :-D Its been awhile, but I think I has a horrible experience with the certbot script and just set it up manually (using instructions similar to, if not the same as: https://ivopetkov.com/b/let-s-encrypt-on-ec2/, and never looked back. However, the referenced github repo doesn't seem to exist as-such anymore (and redirects to the certbot repo). But that does still includes the
letsencrypt-autoscript (for now). -
Just wondering how/if this is a linux specific problem, and not just a certbot problem (or something else)? Would the same [equivalent] steps have worked any better on Windows? Pictures of error messages, please "or it didn't happen ™". :-D Its been awhile, but I think I has a horrible experience with the certbot script and just set it up manually (using instructions similar to, if not the same as: https://ivopetkov.com/b/let-s-encrypt-on-ec2/, and never looked back. However, the referenced github repo doesn't seem to exist as-such anymore (and redirects to the certbot repo). But that does still includes the
letsencrypt-autoscript (for now).It was the other day, and I've long since closed that session. I'm really not up to digging through my logs right now, especially since the problem has been resolved, at least for now.
To err is human. Fortune favors the monsters.
-
It was the other day, and I've long since closed that session. I'm really not up to digging through my logs right now, especially since the problem has been resolved, at least for now.
To err is human. Fortune favors the monsters.
Not entirely sure this is the same kind of cert you're talking about, but have you looked into free SSL through Cloudflare? Automatic and zero work. Although, IINM, the free version is only SSL at the edge servers where everything is (eventually) cached, not SSL all the way to the host, unless you set it up that way. Edge node is fine for a lot of things.
-
Not entirely sure this is the same kind of cert you're talking about, but have you looked into free SSL through Cloudflare? Automatic and zero work. Although, IINM, the free version is only SSL at the edge servers where everything is (eventually) cached, not SSL all the way to the host, unless you set it up that way. Edge node is fine for a lot of things.
Thanks, I'll look into that.
To err is human. Fortune favors the monsters.
-
Thanks, I'll look into that.
To err is human. Fortune favors the monsters.