Re: Update of SSL certificate on haproxy.org
On Wed, Dec 28, 2016 at 11:50 AM, Willy Tarreau wrote: > Hi Baptiste, > > On Wed, Dec 28, 2016 at 09:32:07AM +0100, Baptiste wrote: > > I personally use a shell script (acme.sh https://github.com/Neilpang/ > acme.sh) > > to setup my certificates with let's encrypt. > > I noticed this one but not tried it yet. > > > I run it in my init script, before HAProxy starts up to replace my certs > > in-place. It's good enough for me, since the certs will be updated > > automatically if required after each conf change. > > > > I planned to release this script on gitlab at some point, and this could > be > > the right moment :) > > Yes, I'll wait for your scripts and howtos then. I'm really sick of > spending my time dealing with SSL on mondays, spam filtering on tuesdays, > mailing list archives rotation on wednesdays and so on. It takes me a lot > of time to learn how to adapt to such tools, far more than for normal > people, and it quickly gets me nervous and makes it harder for me to > concentrate on useful stuff :-/ > > Cheers, > Willy > Hi all, Here you go: https://www.bedis9.net/posts/2016_12_28_letsencryptforhaproxy.html And the scripts on github: https://github.com/bedis/letsencryptforhaproxy Please note that the script generates both RSA and ECDSA certificates. I also added a second script to manage OCSP at run time (through the stats socket). Baptiste
Re: Update of SSL certificate on haproxy.org
Hi Baptiste, On Wed, Dec 28, 2016 at 09:32:07AM +0100, Baptiste wrote: > I personally use a shell script (acme.sh https://github.com/Neilpang/acme.sh) > to setup my certificates with let's encrypt. I noticed this one but not tried it yet. > I run it in my init script, before HAProxy starts up to replace my certs > in-place. It's good enough for me, since the certs will be updated > automatically if required after each conf change. > > I planned to release this script on gitlab at some point, and this could be > the right moment :) Yes, I'll wait for your scripts and howtos then. I'm really sick of spending my time dealing with SSL on mondays, spam filtering on tuesdays, mailing list archives rotation on wednesdays and so on. It takes me a lot of time to learn how to adapt to such tools, far more than for normal people, and it quickly gets me nervous and makes it harder for me to concentrate on useful stuff :-/ Cheers, Willy
Re: Update of SSL certificate on haproxy.org
On 16-12-28 09:32:07, Baptiste wrote: > I planned to release this script on gitlab at some point, and this > could be the right moment :) Yes! signature.asc Description: Digital signature
Re: Update of SSL certificate on haproxy.org
On Wed, Dec 28, 2016 at 2:40 AM, Willy Tarreau wrote: > Hi Holger, > > On Tue, Dec 27, 2016 at 11:12:50PM +0100, Holger Just wrote: > > Hi Willy, > > > > Recently, you updated the SSL certificate of haproxy.org, > > git.haproxy.org, ... to a new certificate from StartSSL. > > Yep and I was glad to be done with this painful stuff for 3 years... > > > Unfortunately, recently, there was an incident of several misissued > > certificates by this CA as well as shady business decisions involving > > WoSign which resulted in Chrome [1] and Firefox [2] no longer trusting > > the CA's root certificates with their next respective releases. Apple > > has revoked trust to certificates issued after December 1 [3] which just > > barely doesn't affect the current cert. I have found no statement by > > Microsoft. > > > > With the next release of Firefox and Chrome, users using the https > > versions of the websites will thus receive a strongly worded error > > similar to other TLS errors involving invalid certificates. > > Hmmm cool. The usual loop repeats itself... Google has the power to > force every site to implement SSL, CAs mess up, browsers have the power > to judge who must be disqualified, and in the end it's users who are > annoyed. I'm impatient to see this long-obsolete single-chain trust > model collapse. > > > I'd thus recommend to update the certificate again and use a more > > trusted CA. With Let's Encrypt being widely supported, well automateable > > and also free, I'd recommend this one. > > Thanks. Last time I checked it was not possible, with only a python client, > but I'm seeing that there are more portable implementations now, so I'll > probably have to give it a try again when I have time to waste for this > (to be clear, between working on HTTP/2 and playing again with SSL toys, > my choice is clearly in favor of the one making the project go forward). > > Thanks for notifying me! > Willy > > Hi Willy, I personally use a shell script (acme.sh https://github.com/Neilpang/acme.sh) to setup my certificates with let's encrypt. I run it in my init script, before HAProxy starts up to replace my certs in-place. It's good enough for me, since the certs will be updated automatically if required after each conf change. I planned to release this script on gitlab at some point, and this could be the right moment :) Baptiste
Re: Update of SSL certificate on haproxy.org
Hi Holger, On Tue, Dec 27, 2016 at 11:12:50PM +0100, Holger Just wrote: > Hi Willy, > > Recently, you updated the SSL certificate of haproxy.org, > git.haproxy.org, ... to a new certificate from StartSSL. Yep and I was glad to be done with this painful stuff for 3 years... > Unfortunately, recently, there was an incident of several misissued > certificates by this CA as well as shady business decisions involving > WoSign which resulted in Chrome [1] and Firefox [2] no longer trusting > the CA's root certificates with their next respective releases. Apple > has revoked trust to certificates issued after December 1 [3] which just > barely doesn't affect the current cert. I have found no statement by > Microsoft. > > With the next release of Firefox and Chrome, users using the https > versions of the websites will thus receive a strongly worded error > similar to other TLS errors involving invalid certificates. Hmmm cool. The usual loop repeats itself... Google has the power to force every site to implement SSL, CAs mess up, browsers have the power to judge who must be disqualified, and in the end it's users who are annoyed. I'm impatient to see this long-obsolete single-chain trust model collapse. > I'd thus recommend to update the certificate again and use a more > trusted CA. With Let's Encrypt being widely supported, well automateable > and also free, I'd recommend this one. Thanks. Last time I checked it was not possible, with only a python client, but I'm seeing that there are more portable implementations now, so I'll probably have to give it a try again when I have time to waste for this (to be clear, between working on HTTP/2 and playing again with SSL toys, my choice is clearly in favor of the one making the project go forward). Thanks for notifying me! Willy
Update of SSL certificate on haproxy.org
Hi Willy, Recently, you updated the SSL certificate of haproxy.org, git.haproxy.org, ... to a new certificate from StartSSL. Unfortunately, recently, there was an incident of several misissued certificates by this CA as well as shady business decisions involving WoSign which resulted in Chrome [1] and Firefox [2] no longer trusting the CA's root certificates with their next respective releases. Apple has revoked trust to certificates issued after December 1 [3] which just barely doesn't affect the current cert. I have found no statement by Microsoft. With the next release of Firefox and Chrome, users using the https versions of the websites will thus receive a strongly worded error similar to other TLS errors involving invalid certificates. I'd thus recommend to update the certificate again and use a more trusted CA. With Let's Encrypt being widely supported, well automateable and also free, I'd recommend this one. Best, Holger [1] https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html [2] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ [3] https://support.apple.com/en-us/HT202858
