Web Hosting Forum | Lunarpages

Author Topic: Let's Encrypt  (Read 29981 times)

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1549
    • http://www.notonebit.com
Let's Encrypt
« on: February 19, 2016, 06:49:06 AM »
Is LP planning to offer this free service? Other hosts have already implemented it, so I'd expect to follow suit.

For those unfamiliar with Let's Encrypt (https://letsencrypt.org/):

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:
  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #1 on: February 20, 2016, 02:32:38 PM »
Does this require or allow SNI (Server Name Indication)? That is a shared IP address for private certs; http://forums.oscommerce.com/topic/409069-server-name-indication/ . Anyone know what LP's position is on this for Basic plans (Linux shared server)? It would be nice not to have to pay for a dedicated IP address, and to use a low cost or free SSL certificate for a low-volume ecommerce site.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1549
    • http://www.notonebit.com
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #3 on: February 22, 2016, 12:55:59 PM »
My browser tells me there is no groups.lunarpages.com. Could you check that first URL?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1549
    • http://www.notonebit.com
Re: Let's Encrypt
« Reply #4 on: February 23, 2016, 07:25:46 AM »
lol that's not the link I posted. The forum changed it! Substitute google for lunarpages in that link. What kind of stupid filter is this?

Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #5 on: November 20, 2016, 09:14:44 AM »
So, what choices does a Lunarpages customer have if they want to enable SSL on their site? I am considering opening a store on my site, which will require SSL (HTTPS) on at least some of its pages (ones carrying sensitive information). Also, Google is starting to downrank HTTP sites in favor of HTTPS sites (not just pages), so in the long run it's good to have a site completely HTTPS.

For a long time, LP has offered static IP addresses and commercial private SSL certificates, which may be a bit on the expensive side for small shops. They also offer shared SSL certificates for free, but the domain used will not match the rest of your site, which can put off a lot of customers. Do shared certificates still not work with PHP? I don't expect LP to offer private SSL certificates for free, since there is a cost associated with them, but what can they offer us that's fairly low cost? Dedicated IPv4 addresses are also going to get quite expensive, so some method that allows sharing or virtual IP addresses would be very good.

Don't forget that SSL comes in different encryption strengths (e.g., 128, 256, 1024 bit), and some financial (payment) services may require fairly strong encryption (now or in the future).

http://wiki.lunarpages.com/Adding_Features/SSL
http://wiki.lunarpages.com/Additional_Dedicated_Hosting_Features/Dedicated_Linux_SSL_Certificate
http://wiki.lunarpages.com/SSL_Renewal_is_not_automatic
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MichaelT

  • Support
  • Jabba the Hutt
  • *****
  • Posts: 579
Re: Let's Encrypt
« Reply #6 on: November 20, 2016, 11:52:19 PM »
At this time, Let’s Encrypt certificate are not supported on the shared servers although this may change at some time in the future. Until then, Let’s Encrypt certificates would require either a VPS or Dedicated server.
--

Support and Assistance:
Contacting Us
Hosting Plans
Affiliate Program
Wiki and Tutorials

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #7 on: November 22, 2016, 07:50:50 AM »
An interesting article: http://www.theregister.co.uk/2016/01/07/net_scum_getting_lets_encrypt_certs_for_malware/

Now, The Register has become something of an online tabloid, and its articles should be taken with a few grains of salt. If I read the article correctly, Let's Encrypt SSL certificates themselves have not been compromised, but the problem is that bad actors are using them to encrypt malware deliveries from malicious (or compromised?) sites, so that en-route scanners don't pick up malware. The basic problem seems to be that those running Let's Encrypt feel it is not their job to enforce anti-malware site lists. Other certificate vendors apparently do revoke certificates if those sites are being used to distribute malware.

The bottom line is that while Let's Encrypt SSL certificates are apparently as good as anyone else's, they may be getting a bad odor about them for their policies on malware sites. Does anyone know if this has changed since this article was posted nearly a year ago?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #8 on: August 17, 2017, 08:35:39 AM »
Is Lunarpages giving us SSL certificates? I see that a couple days ago, several .well-known/ and .well-known/pki-validation/ directories suddenly showed up on my site, along with some "ssl" names and such. Googling for information, I see on some other hosts they were rolling out Let's Encrypt certificates for their users, and creating such directories.

I hope to see a formal announcement on this soon. I would be delighted to get free SSL support, if that's what it is. I'm not happy, though,  to see updates to my files and directories with no word what's going on. I had some cgi-bin/ files mysteriously update all by themselves a few weeks ago, and support claimed to have no idea what happened. After some back and forth, they admitted doing some server updates.I caught this because I do a weekly listing of my files and directories to see what's changed (looking for unauthorized changes) that might be hacks.

Update: after adding https to my .htaccess Hotlink Protection, I took my site for a spin on https and so far it appears to be OK. I still need to fix a couple of hard-coded http entries, and turn on http->https redirect once I get the word that SSL is fully enabled. Going through my .htaccess, I found RewriteCond's added at every rewrite to stop .cpaneldcv and .well-known/ URIs from being rewritten. I suspect that most of these are unnecessary (just cycles wasters, as they'll never be tripped), but I'd like to know exactly what the intent is before I remove most of them.
« Last Edit: August 18, 2017, 04:56:10 AM by MrPhil »
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1549
    • http://www.notonebit.com
Re: Let's Encrypt
« Reply #9 on: August 18, 2017, 05:44:00 AM »
Let's hope this happens and happens soon. Apparently yesterday Google emailed  webmasters a notice that as of October when Chrome 62 is released that we'll all need SSL on our forms, otherwise Chrome will display warnings:


Quote
Chrome will show security warnings on http://www...

To owner of http://www...,

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The following URLs on your site include text input fields (such as < input type="text" > or < input type="email" >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.

[...]

The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.

Here’s how to fix this problem:

Migrate to HTTPS
To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
Read about HTTPS
Need more help?

•   Learn more about this change in the blog post Next Steps Towards More Connection Security.
•   Learn how to Secure your site with HTTPS.
•   Ask questions in our forum for more help - mention message type [WNC-10038795].
« Last Edit: August 18, 2017, 06:22:12 AM by scanman20 »
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline rickei

  • Intergalactic Cowboy
  • *****
  • Posts: 53
Re: Let's Encrypt
« Reply #10 on: August 18, 2017, 09:44:23 AM »
I've noticed the folders on my servers as well.
.well-known/pki-validation/
I tried my HTML sites and they seem to be working fine using HTTPS://  but my PHP sites are giving errors saying that the cert belongs to other domain name who happen to be hosted by LP. (one is a dildo company topcattoys)

I wish LP was a little more forthcoming on what they a planning here, and what I will need to do per the email that scanman20 posted. I host about 20 sites through LP and there is no way I can afford to get a dedicated account for each of them.
« Last Edit: August 18, 2017, 09:57:23 AM by rickei »

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #11 on: August 19, 2017, 01:29:43 PM »
If you're getting SSL mixups on certain kinds of site code (such as PHP on an add-on), I would open a support ticket. You may have run across some sort of edge case that they're not properly setting up for, or they made a mistake somewhere.

My site is also PHP-powered, but no add-on or subdomains. I only tried a couple pages, not any forms or anything, so it's possible I too will run into some problem. As I recall, the old shared certificates didn't run with PHP, and maybe that has something to do with the setup on the new ones. PHP itself is used on the majority of sites, so that would certainly need to be fixed.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6225
Re: Let's Encrypt
« Reply #12 on: August 21, 2017, 05:24:42 AM »
It's not Let's Encrypt (it's another free SSL system), and it's still in testing. I'm told that there will be a formal announcement when they consider it ready to go.

I'm going to hold off turning my site to SSL until the new system is formally rolled out.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

 

Share |