Comments & Opinions |
Home Page | Comments | Articles | Faq | Documents | Search | Archive | Tales from the Machine Room | Contribute | Set language to:en it | Login/Register
Ok, we continue with the discussione accidentally started yesterday with the comment related to SSL certificates. Now, the more attentive realized that I have now a Let's Encrypt certificate. This because I don't trust much the provider and I want to cover my ass before it's too late.
So... what's my problem with Let's Encrypt?
We start with a simple note: I am a bit weary of "free" stuff. Because somebody sooner or later has to pay. And base something on something 'free' has always some risk. Even something like Let's Encrypt, that produce SSL certificates, that are basically files and as such the production cost is negligible, they still have associated costs. Somebody has to pay for the infrastructure and probably there is maintenance involved. I understand that and so why there are provider that are selling certificates. I have no problem in paying what I think is a "faire" price (I am also a supported of Let's Encrypt), because I understand that there is work behind it.
The first "problem" is that the default "client" that is suggested to use (certbot) is a python script that DOES NOT WORK on my server. Now, I have no problem with any language, most of the time the problem is not the language, is the developer. But in the case of python, I really like languages where I can decide how I want to indent my code, so if I can, I leave python in its nest.,
Why the client doesn't work? I don't know. Maybe because whoever made it didn't tested it properly and frankly, I have no intention of debugging it.
The second "problem" is that, until recently, they didn't supported "wildcard" certificate, that is what I use, so that was a blocking problem for me. Now they do support them, but the "security check" require a change in the DNS and this is a problem because the DNS I am using doesn't allow for quick changes, so in most cases the "check" fail and I have to restart everything from scratch.
The third "problem" is that the certificates have a short lifespan, only 3 months. Now, a certificate that never expires have more problems from a security point of view, but between nothing and the eternity there are several shades of grey. Until a few years ago it was possible to get certificates with 3 or 5 years validity, recently they shortened the life to 1 year. Now, I'm not completely convinced that this is for 'security' and not to simply get more money (or more often) but what the hell.. But 1 year is 4 times 3 months. So if we put together this with the previous problem, you understand why I am not a real fan of spending half a day to babysit the renewal process every 3 months. Again: I don't get any money from this.
That's why I'd really like to get a certificate from an accredited company that does the checks via e-mail and doesn't require me to do weird things to have a fucking client that doesn't want to work to cooperate.
So... why now I have a certificate and how did I do?
As said at the beginning, I don't really trust my actual provider, since they seems a bit to anxious of selling things that are a lot more expensive, so I decide that I want a "plan B" before I commit to "plan A". So I installed a vm on my laptop (thanks to Windows that now provide an hypervisor included in the system) and spent half a day messing around with different "clients" until I managed to make one work. And just for the records, I ignored python and went for Perl and Bash.
Now let's see what the provider does, because I'd rather pay one provider than repeat this mess each 3 months.
Davide Bianchi
01/09/2021 13:06
Comments are added when and more important if I have the time to review them and after removing Spam, Crap, Phishing and the like. So don't hold your breath. And if your comment doesn't appear, is probably becuase it wasn't worth it.
By Anonymous coward posted 01/09/2021 20:33
Per quale motivo acme.sh e Dehydrated non sono stati considerati... "interessanti"?
-- Anonymous coward
@ Anonymous coward By Davide Bianchi posted 02/09/2021 08:14
Per quale motivo acme.sh e Dehydrated non sono stati considerati... "interessanti"?
Perche' io ho un limitato ammontare di tempo da dedicare a certe cose, che e' il motivo per cui non lo consideravo nemmeno dato che il client "ufficiale" persisteva nel non funzionare per niente. Percui ho preso qualche cosa che ipotizzavo di poter far funzionare e non sono andato avanti a guardare oltre.
Ad un certo punto devo scegliere: vado avanti ad oltranza a cercare di far funzionare questo coso che potrebbe non funzionare mai, o semplicemente spendo 25 $ per un certificato da una societa' che questi casini li risolve lei?
-- Davide Bianchi
@ Davide Bianchi By frakka posted 03/09/2021 00:58
Ad un certo punto devo scegliere: vado avanti ad oltranza a cercare di far funzionare questo coso che potrebbe non funzionare mai, o semplicemente spendo 25 $ per un certificato da una societa' che questi casini li risolve lei?
In realtà mi sembra che il vecchio spacciatore i problemi "non te li stia risolvendo"...
Scherzi a parte, molto chiaro e tutto il ragionamento è assolutamente condivisibile. Temevo ci fosse anche un problema di affidabilità dei certificati di LE che poteva essermi sfuggito.
Ciao
-- frakka
@ frakka By Davide Bianchi posted 06/09/2021 11:18
In realtà mi sembra che il vecchio spacciatore i problemi "non te li stia risolvendo"...
Che e' il motivo per cui ho deciso di avere un Piano B pronto invece che aspettare l'ultimo momento.
-- Davide Bianchi
By Ivo Gandolfo posted 02/09/2021 14:32
>Quindi... ho installato una macchina virtuale sul mio PC ed ho cominciato a madonnare dietro i vari "client" per Let's Encrypt finche' non sono riuscito a farne funzionare uno.
Giusto per curiosità, alla fine cos'hai usato? Se ne potrebbe avere una copia? Anche io ho bestemmiato dietro a certbot e non ho cavato un ragno dal buco, ma visto che anche i miei certificati a breve mi diranno addio dovrò cimentarmi pure io nella ricerca del Santo Graal...
-- Ivo Gandolfo
@ Ivo Gandolfo By Davide Bianchi posted 06/09/2021 07:42
Giusto per curiosità, alla fine cos'hai usato?
Si chiama "getssl" ed e' uno script Bash.
-- Davide Bianchi
This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.
This site was composed with VIM, now is composed with VIM and the (in)famous CMS FdT.
This site isn't optimized for vision with any specific browser, nor
it requires special fonts or resolution.
You're free to see it as you wish.