Very happy, thank you!


#1

I knew about Let’s Encrypt when it was still in development but did not start using it until today. I did not like the 3 month certificates, to me it was worth the $9 from namecheap for a cert that lasts a year. But times have gotten really tough financially (I almost ended up homeless at end of last year).

I’m a huge privacy advocated, currently working on an alternative to Gravatar which is a massive tracking problem - both with the way hashes are generated and with cookies. But this project isn’t going to bring me any income, I’m doing it because privacy is really important to me.

I decided to use LE just to reduce cost, and found the certbot client easy enough to script into my preferred way of doing things - the three month renew I still am not fond of, but it’s at least cake to do and do it my preferred way (generate cert before use, upsate DANE TLSA records, then put into service when new TLSA records have propagated - yes I know few browsers support TLSA but using it is best way to show browsers I really want them to)

Anyway the experience is very positive and I suspect I’ll be doing more domains with LE.

It’s basically just as easy to do as generating the CSR I send off to comodo only I don’t have to send the CSR off to comodo, I can get the cert instantly.

This is my way - https://gist.github.com/AliceWonderMiscreations/de1a37b41df545eba3b6d6e77f6f29fb

Gets everything I need, and lets me update the apache config when I’m ready.


#2

It looks like the SAN part didn’t work, I’ll have to look at why, it’s in the CSR. Not critical for the site its being used with at the moment but gah, I should have checked that earlier…

subjectAltName = @san

[san]
DNS.1 = trippyid.com
DNS.2 = www.trippyid.com

The www isn’t in the signed cert.


#3

You may have to define the extension section within the req section:

[req]

req_extensions = ext

[ext]
subjectAltName = @san

[san]


#4

Doh!

I’ll try it again in a few days, don’t want to bother right now but yes that is something I missed.


#5

I tried it on a different server and yes, that’s all that I was missing. Thanks for noting it.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.