Kitz Forum

Internet => Web Hosting & Web Design => Topic started by: chenks on June 08, 2018, 05:40:29 PM

Title: Let's Encrpyt
Post by: chenks on June 08, 2018, 05:40:29 PM
anyone used Let's Encrpyt for free SSL certificates?
i'm looking at it thinking there must be a catch somewhere, but so far i've not spotted one.
Title: Re: Let's Encrpyt
Post by: kitz on June 09, 2018, 12:24:12 AM
I use Let's Encrypt.
Title: Re: Let's Encrpyt
Post by: vic0239 on June 09, 2018, 07:30:56 AM
I use it too on my NAS and two Raspberry Pi devices. Set to auto-renew, you can just forget about it.
Title: Re: Let's Encrpyt
Post by: d2d4j on June 09, 2018, 09:17:59 AM
Hi

I could be wrong so apologies in advance, but I thought chenks used windows server and not Linux, so if I am correct, LE is not available for window servers

Many thanks

John
Title: Re: Let's Encrpyt
Post by: chenks on June 09, 2018, 09:21:04 AM
Works perfectly fine with Windows and iis
Title: Re: Let's Encrpyt
Post by: d2d4j on June 09, 2018, 09:26:01 AM
Ahh sorry

When we first looked/integrated LE it was only for Linux  so it’s clearly moved on

Many thanks

John
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 03:15:09 PM
there are a few tools now that will do the work for you with IIS.
two that i've tried are "Certify The Web" and "LetsEncrypt-Win-Simple"

this blog post explains the various methods - https://weblog.west-wind.com/posts/2016/Feb/22/Using-Lets-Encrypt-with-IIS-on-Windows
Title: Re: Let's Encrpyt
Post by: Chrysalis on June 14, 2018, 03:36:29 PM
There is no catch other then I guess they are short lived certificates.  So arguably its harder to administer.  But short lived certificates are the future, its a better way to deal with rogue certificates, no need to blacklist a certificate if it just expires instead, the long term aim is for expiries much shorter than 3 months, some websites rotate certificates several times a week.

The certificate business has long been a bit of a nasty one, companies charging for automated processes just "because they can", a certificate self signed is not less secure than a trusted CA signed one, its just that its CA is not whitelisted in the main browsers so will come up as a untrusted site.  SSL serves two purposes, to protect traffic from interception and to identify the owner as trusted of the website you visiting, but the bottom end certificates that have been sold for decades, dont really verify anything other than domain ownership.

e.g. my PFSense unit has a self signed 20 year certificate thats trusted in my browser, I simply added my own CA to the certificate store on my PC.  I use that CA also for my ESXi server's as well so their web interfaces are also trusted in my browser.

The other issue been as well, the www needs to migrate to full https really, google are pushing it for it as well as other established entities, but people having to pay for certificates was holding things back.  http/2 can make https faster than http for browsing, and TLS 1.3 will shorten load times even more. As usual webmaster's dont tend to care until they have to change for £££, so e.g. when google started derating non https on search results, suddenly takeup spiralled.  It will be the same when they derate ipv4 only sites later in the year to push ipv6 adoption. Notice how TBB migrated their homepage to https, but not their forum, that was about SEO, if it was about enhancing privacy of data they would have done the forum as well.

LetsEncrypt has been setup to basically "correct" the market.  Stop the charging for automated domain ownership checked certificates.  Also to drag down TTL times as well, and to try and force through other modern standards.

The line stats link in my sig is encrypted using a letsencrypt cert and is on http/2.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 03:45:14 PM
The line stats link in my sig is encrypted using a letsencrypt cert and is on http/2.

on a side note, how do you get your dslstats bitloading graph to look correct? mine doesn't.
http://chenks.ddns.net/dslstats/
Title: Re: Let's Encrpyt
Post by: Chrysalis on June 14, 2018, 03:49:43 PM
Dont know, I used the kitz v1 files, which I got from Ned.  The graphs are unmodified generated by dslstats.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 03:52:00 PM
Dont know, I used the kitz v1 files, which I got from Ned.  The graphs are unmodified generated by dslstats.

as do i, but for some reason mine is huge and doesn't show the right side of the graph fully.
Title: Re: Let's Encrpyt
Post by: Chrysalis on June 14, 2018, 03:55:55 PM
pm me your email address I will share you the files I use so you can check the code.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 03:59:56 PM
you sure you're using an unmodified kitz v1 webgui? your top menu layout is different to mine, and i just downloaded the kitz webgui files a few days ago.
Title: Re: Let's Encrpyt
Post by: Chrysalis on June 14, 2018, 04:07:04 PM
The main body is unmodified, I added tbb graphs to top and edited the name to Chrysalis.

My webgui is much older than a few days ago, note I said v1.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 04:08:08 PM
anyway, i believe the issue is dslstats config rather then webgui, as the actual PNG file produced for that graph looks the same as it does when on the webgui, so it's dslstats config.
Title: Re: Let's Encrpyt
Post by: kitz on June 14, 2018, 09:26:13 PM
on a side note, how do you get your dslstats bitloading graph to look correct? mine doesn't.
http://chenks.ddns.net/dslstats/

Thats nothing to do the with the interface but rather how DSLstats captures the graphs.     I think it remembers the last size.    To adjust the snapshots to the new size, leave the bitloading graph open and on top in DSLstats for a while until its performed a capture at the new size.

Once its done one, all the rest should be the same.   You may have to repeat the process with other graphs too.

----

PS you may be able to force it by doing a snapshot of all active graphs (top right button) or green button..  although Ive not tested it.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 09:27:45 PM
yeah i did try that, but even then it seems to output a stange PNG.
also, it doesn't remember the setting when closing and re-opening dslstats and reverts back to what it was originally.
Title: Re: Let's Encrpyt
Post by: kitz on June 14, 2018, 09:36:03 PM
I'm not quite sure how the graph sizes work, perhaps Eric will know.
Mine also produce different size graphs from time to time and I have to take new screenshots of all the active windows to get them correct size.
Title: Re: Let's Encrpyt
Post by: kitz on June 14, 2018, 09:39:54 PM
I've just tested it as my QLN had gone wonky.
Clicking the snapshot button didn't work and I had to leave the window open until it did an automated capture.
Title: Re: Let's Encrpyt
Post by: chenks on June 14, 2018, 09:48:58 PM
yeah that's what i did too.
but the graph still looks truncated on the right side, and is much larger than the other graphs.
Title: Re: Let's Encrpyt
Post by: roseway on June 14, 2018, 10:47:46 PM
All the snapshots should be the size that they appear in DSLstats (unless you choose the scaling option). But I think what may be happening here is a consequence of delayed redrawing, which will vary between operating systems. I don't see the effect you describe on my Linux systems - all the snapshots are the correct size. I'll give some more thought to this, but I don't see a simple soution at the moment.