I've successfully transitioned existing StartSSL certificates + HPKP / HSTS to letsencrypt.sh (via the Debian package).
I know I am not the first to do such a thing, but maybe you'd like to have some quick pointers to get this resolved ASAP. Raoul PS. The most important thing is to initially tell letsencrypt.sh to reuse an existing private key for requesting new certs. On November 28, 2016 11:04:57 PM GMT+01:00, "L. Aaron Kaplan" <[email protected]> wrote: > >> On 28 Nov 2016, at 22:59, Laurens Vets <[email protected]> wrote: >> >> On 2016-11-28 13:40, Tobias Pape wrote: >>> Hi all, >>> I use Chrome 56, and can no longer open https://bettercrypto.org/. >>> The browser complains with ERR_CERT_AUTHORITY_INVALID for the >StartCom >>> issued certificate for >>> bettercrypto.org. Since it uses HSTS, Chrome won't let me continue. >>> Can someone (Aaron K?) replace the Cert, eg, with a Letsencrypt one? >>> Can I do something there? >>> Best regards >>> -Tobias >>> PS: FireFox 50 is OK with the site. >>> PPS: So is Safari 9.1 >>> PPPS: >>> >https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html >>> may be the reason here. >>> PPPPS: ssllabs is happy tho (A+): >>> https://www.ssllabs.com/ssltest/analyze.html?d=bettercrypto.org >> > >That sucks. >Thanks for the heads up. I did not notice that when I re-issued the >certificate. > >> This will also be the case with Firefox starting with version 51 and >certs signed after October 21, 2016. >> >> More information: >> >https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ >> > >So, this is indeed a bummer. We will have to do a let's encrypt >certificate (means extra work). > >Thanks for the notice. -- DI (FH) Raoul Bhatia M.Sc. E-Mail. [email protected] Tel. +43 699 10132530 _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
