Pages

Friday, 11 May 2018

Let's Encrypt

Every "secure server" has to have a certificate; this is a text file that certifies that the server is encrypting.

I've been getting my certificates from Comodo, because I decided that Verisign were too expensive. They seem to be part of Symantec now, and Symantec want $399 per year for a cert, $1999 for a wildcard cert (which covers all subdomains of a domain name). 

Eyewatering.

Also, Chrome will soon be untrusting Symantec certs. It's a sad story.

Comodo were charging me $60/year. Now it's £90, more than twice what it used to be. Feh. Godaddy are a bit cheaper, about  $60/year, but they warn you that it will be $75 when you renew.

I'm already using Letsencrypt.org for a few dozen domain names. Their big advantage is that it's free. Certs last for 90 days, but they make it easy to automate refreshing them.

So I thought, how about using this for my Secure Server? There's only one drawback to the certs from Letsencypt, and that is that they don't certify the name of the organisation. But when was the last time you checked the cert on a secured web site to verify that it really was the organisation you thought it was?  As long as the lock thing is shouling locked, and no alarming popups pop up, it should be fine.

So I downloaded certbot-auto, and made myself a free wildcard cert (the thing that Symantec wants $1999 for) and made myself a wildcard cert. I checked the server with Qualys SSL Labs and got an A+ rating, that's as high as it goes.

I just checked Barclays, my bank, and they only got a B! Naughty Barclays are still using SSL 3, which is known to be insecure.

So, while I was overhauling things, I also brought the server up to the latest Fedora, version 28, and the latest Apache web server, 2.4.33. And I also made a backup server, so I can slide that in immediately if the hardware goes pearshaped.

While I was building it, I had a bit of a clear-out of faulty motherboards. It seems to me that motherboards wear out; I'm guessing it's the capacitors. Anyway, that left me with a bunch of CPUs for which I had no motherboard. So I went to Ebay.

I found a guy selling suitable motherboards for £7 each, which sounded good until I noticed that each one came with a CPU and memory. Better than good! So I bought all six that he had.





No comments:

Post a comment