Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: You are right in that the fullchain.pem doesn't have the root certificate. I ran "openssl x509 -in chain.pem -noout -text", and saw that it had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Wed, Nov 11, 2015 at 02:50:20PM -0800, Prasun Gera wrote: > I'll try this on an aws instance and report. Some googling also suggests > that the additional step of "pk12util -i ipa.example.com.p12 -d > /etc/httpd/alias" is needed, which is similar to what you suggested. A few > more questions: >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

I'll try this on an aws instance and report. Some googling also suggests that the additional step of "pk12util -i ipa.example.com.p12 -d /etc/httpd/alias" is needed, which is similar to what you suggested. A few more questions: 1) How would renewals work ? the pem files can be renewed on

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 03:12:04PM -0800, Prasun Gera wrote: > I tried using let's encrypt's certs manually, but I think I'm missing > something. Let's encrypt creates the following files : cert.pem chain.pem > fullchain.pem privkey.pem. I was trying to follow >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

No it didn't quite work. I ran ipa-server-certinstall -w /etc/letsencrypt/live/ example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem which gives The full certificate chain is not present in /etc/letsencrypt/live/example.com/privkey.pem, /etc/letsencrypt/live/

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

I tried using let's encrypt's certs manually, but I think I'm missing something. Let's encrypt creates the following files : cert.pem chain.pem fullchain.pem privkey.pem. I was trying to follow http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP but i wasn't able to get it to

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote: > No it didn't quite work. > > I ran ipa-server-certinstall -w /etc/letsencrypt/live/ > example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem > > which gives The full certificate chain is not present in >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 5:04 PM, Fraser Tweedale wrote: > On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote: > > No it didn't quite work. > > > > I ran ipa-server-certinstall -w /etc/letsencrypt/live/ > > example.com/privkey.pem

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: > You are right in that the fullchain.pem doesn't have the root certificate. > I ran "openssl x509 -in chain.pem -noout -text", and saw that it > had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject: > C=US, O=Let's

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

You are right in that the fullchain.pem doesn't have the root certificate. I ran "openssl x509 -in chain.pem -noout -text", and saw that it had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1. So I got the root certificate

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thanks for the discussion. If someone can update the documentation with mozilla style old, intermediate and modern cipher lists for mod_nss, that would be great. Better still would be to add that option to the installer scripts so that you can choose it during installation. Integrating that in the

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Yes, that's what I was planning to do. i.e. Convert cipher names from SSL to NSS. I wasn't sure about the other settings though. Is there an equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there equivalent configs for HSTS on the mozilla page? Does NSS allow using generated DH

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thanks. After the changes, most things seem to be in order. I see two orange flags though: Secure Client-Initiated Renegotiation*Supported* *DoS DANGER* (more info )Session resumption

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks. After the changes, most things seem to be in order. I see two > orange flags though: > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > info >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Thu, Nov 05, 2015 at 11:52:32PM -0500, Rob Crittenden wrote: > Prasun Gera wrote: > > Thanks. After the changes, most things seem to be in order. I see two > > orange flags though: > > > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > > info > >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Yes, that's what I was planning to do. i.e. Convert cipher names from > SSL to NSS. I wasn't sure about the other settings though. Is there an > equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there > equivalent configs for HSTS on the mozilla page? Does NSS

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote: > I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm > using a stock configuration which uses the certs signed by ipa's CA for the > webui. This is mostly for convenience since it manages renewals seamlessly. >

[Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm using a stock configuration which uses the certs signed by ipa's CA for the webui. This is mostly for convenience since it manages renewals seamlessly. This, however, requires users to add the CA as trusted to their

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks for the ticket information. I would still be interested in > configuring mod_nss properly (irrespective of whether the certs are ipa > generated or 3rd party). These are the worrying notes from ssllabs test: > > The server supports only older protocols, but not the