HTTPS Howto?

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
xtaz
Bear Rating Master
Bear Rating Master
Posts: 174
Joined: 24 Dec 2009, 16:48

Re: HTTPS Howto?

Postby xtaz » 04 May 2013, 22:21

True. Wouldn't apply if you used self signed. However you can get real certs which work in all browsers for free so no need to use self signed really unless you only ever use it from your own browser and don't care too much. Suppose one advantage of self signed is you don't have to renew it every 12 months, but personally I'd rather have that little inconvenience to have a real cert.

gbcox
Bear Rating Master
Bear Rating Master
Posts: 149
Joined: 25 Apr 2013, 04:52

Re: HTTPS Howto?

Postby gbcox » 04 May 2013, 23:02

Never have done it myself. Always seemed to be more trouble than it was worth... which have you used? Who would you recommend? You might consider putting together a short tutorial.

xtaz
Bear Rating Master
Bear Rating Master
Posts: 174
Joined: 24 Dec 2009, 16:48

Re: HTTPS Howto?

Postby xtaz » 05 May 2013, 01:13

There is only one company as far as I'm aware who do free certificates for 12 months which is https://www.startssl.com/ , there are several others but they only tend to do 30 days which is useless. It's not all that much more hassle than generating self signed. You generate a key like normal but instead of the certificate you generate a csr, post the contents of the csr to that site and you get back the cert which you use with the key you already generated locally. Or if you can't even be bothered to do that and don't care too much about where the key came from you can just let them generate their own key and you just download both from the site.

I assume if you've created a self signed that you are probably familiar with openssl. The command I use is this below. They ignore the O and OU parts, but the CN is the exact host/domain name for the website. They ask you to choose a hostname, I select www. And then the cert is generated with both example.com and www.example.com as being valid names.

Code: Select all

openssl req -new -newkey rsa:2048 -days 365 -sha1 -nodes -keyout webserver.key -out webserver.csr -subj '/O=example/OU=example/CN=example.com'


Depends really what you use SSL for. If it's just your own copy of tt-rss and you always use the same browser then self signed is perfectly fine. But mine is also used for an actual public facing website, along with several things like tt-rss, my webmail etc, which I access from several different computers and mobile phones. For me it's just easier to have the CA being a trusted one so I'm not bothered by having to accept it manually.

dang
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 19 Mar 2013, 22:06

Re: HTTPS Howto?

Postby dang » 05 May 2013, 02:56

cacert.org does. They're what I use. Not sure if they're any better or worse, just older.

gbcox
Bear Rating Master
Bear Rating Master
Posts: 149
Joined: 25 Apr 2013, 04:52

Re: HTTPS Howto?

Postby gbcox » 05 May 2013, 06:41

My understanding is that cacert isn't recognized in most web browsers and it acts more or less the same as a self-signed cert... so not sure what the purpose of that would be... looks like startssl is... so I'm going to take a look at that... I'm assuming that picking "example.com" and then using it with "example.com/ttrss" would work fine...?

Thanks for the info... I'll give it a whirl...

orphean
Bear Rating Trainee
Bear Rating Trainee
Posts: 7
Joined: 02 May 2013, 03:32

Re: HTTPS Howto?

Postby orphean » 05 May 2013, 06:47

Yeah they are going to look at the domain name, you don't need to worry about the path under the domain root at all. I prefer rss.example.com but I like third level domains so I don't have a bunch of magic urls hanging off my main domain. To each their own on that one.

xtaz
Bear Rating Master
Bear Rating Master
Posts: 174
Joined: 24 Dec 2009, 16:48

Re: HTTPS Howto?

Postby xtaz » 05 May 2013, 13:40

I used to do that and have different hostnames for each different website/service. But when I started using SSL for everything so that my passwords were encrypted on the wire I stopped doing that. The big problem is if you use different hostnames then you need multiple SSL certificates for each one. Hanging everything off the one main domain means you only need a single certificate. You can get wildcard certs which would solve this problem but startssl don't do wildcards for free. You need to pay them.

I use aliasing in my webserver so that things like tt-rss, phpmyadmin, webmail etc are not in my main document root and they are all kept separate. So I basically just do things like alias /tt-rss to /path/to/tt-rss. Works a treat for me.

Also I agree with what was said about cacert. I really don't see the point of them as they are basically exactly the same as using self signed because they have no CA certs in the main browsers.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: HTTPS Howto?

Postby fox » 05 May 2013, 14:42

fuck cacert, startssl is the shit


Return to “Support”

Who is online

Users browsing this forum: No registered users and 9 guests