Got signed with Let's Encrypt Authority X1 using letsencrypt-nosudo


#1

Sorry if this is off-topic.

I used:

to get a signed certificate. You’ll see that it looks like it’s using the production URL. (The staging URL is commented out.) However the certificate I got was signed with the old “Let’s Encrypt Authority X1” one:

https://www.ssllabs.com/ssltest/analyze.html?d=peteg.org

Any tips on what i may have done wrong?

BTW the process was totally painless using that script.

thanks,
peter


2 different Let’s Encrypt Intermediate X1
#2

You just need to configure your server to serve the cross-signed intermediate, and you should be all set!


#3

@peteg, as @jcjones says, that authority is not obsolete, it’s the real intermediate. There should be a cert chain available which your web server can serve to clients (you might already have it as chain.pem), which will tell the clients that Let’s Encrypt is a CA that they can trust, currently due to the IdenTrust cross-signature.


#4

Thanks Shoen. I tried to say thanks but your software suggested that I instead heart it. Which I did.

Things are working just fine now, up to some links that point back to HTTP. I guess a redirect would fix those too.

Thanks again for this valuable initiative.

cheers,
peter


#5

@peteg, one thing to bear in mind is that your certificate will expire in 90 days and won’t be automatically renewed. We’re working on automated renewal software, which will certainly be ready to use for most people eventually, but it wasn’t included or active by default in the beta releases, so please keep that in mind and don’t get caught by surprise when the certificate expires!

I’m glad the technology is working out properly for you and I hope you enjoy your certificate!


#6

Thanks man. I’ve been wondering what to do when it expires. One issue with that script is that it requires taking down the webserver on the domain while it authenticates with your server. It’d be nice to have a renewal mechanism that doesn’t require this. One possibility is for you to allow (re-)authentication at some port other than 80, but I haven’t thought through the security implications of this. Another is to deposit files somewhere that apache (etc) can serve up.

Anyway, I’m sure you’ve thought about this for your official client. Perhaps by renewal time I’ll simply be able to install it from Debian or somesuch.

Thanks again, and best of luck!

  • peter

#7

A redirect is the right thing to do, but should also add an HSTS header then. This skips the redirect and thus prevents MitM attacks changing these redirects to anything an attacker might want.


#8

Indeed, there’s a webroot plugin, another option would be integrated server support.


#9

Sounds great. I’ll give it a shot closer to expiry time. Thanks for the pointer.

cheers,
peter