Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: You are right in that the fullchain.pem doesn't have the root certificate. I ran "openssl x509 -in chain.pem -noout -text", and saw that it had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Wed, Nov 11, 2015 at 02:50:20PM -0800, Prasun Gera wrote: > I'll try this on an aws instance and report. Some googling also suggests > that the additional step of "pk12util -i ipa.example.com.p12 -d > /etc/httpd/alias" is needed, which is similar to what you suggested. A few > more questions: >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

I'll try this on an aws instance and report. Some googling also suggests that the additional step of "pk12util -i ipa.example.com.p12 -d /etc/httpd/alias" is needed, which is similar to what you suggested. A few more questions: 1) How would renewals work ? the pem files can be renewed on

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 03:12:04PM -0800, Prasun Gera wrote: > I tried using let's encrypt's certs manually, but I think I'm missing > something. Let's encrypt creates the following files : cert.pem chain.pem > fullchain.pem privkey.pem. I was trying to follow >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

No it didn't quite work. I ran ipa-server-certinstall -w /etc/letsencrypt/live/ example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem which gives The full certificate chain is not present in /etc/letsencrypt/live/example.com/privkey.pem, /etc/letsencrypt/live/

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

I tried using let's encrypt's certs manually, but I think I'm missing something. Let's encrypt creates the following files : cert.pem chain.pem fullchain.pem privkey.pem. I was trying to follow http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP but i wasn't able to get it to

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote: > No it didn't quite work. > > I ran ipa-server-certinstall -w /etc/letsencrypt/live/ > example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem > > which gives The full certificate chain is not present in >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 5:04 PM, Fraser Tweedale wrote: > On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote: > > No it didn't quite work. > > > > I ran ipa-server-certinstall -w /etc/letsencrypt/live/ > > example.com/privkey.pem

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: > You are right in that the fullchain.pem doesn't have the root certificate. > I ran "openssl x509 -in chain.pem -noout -text", and saw that it > had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject: > C=US, O=Let's

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

You are right in that the fullchain.pem doesn't have the root certificate. I ran "openssl x509 -in chain.pem -noout -text", and saw that it had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1. So I got the root certificate

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thanks for the discussion. If someone can update the documentation with mozilla style old, intermediate and modern cipher lists for mod_nss, that would be great. Better still would be to add that option to the installer scripts so that you can choose it during installation. Integrating that in the

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Yes, that's what I was planning to do. i.e. Convert cipher names from SSL to NSS. I wasn't sure about the other settings though. Is there an equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there equivalent configs for HSTS on the mozilla page? Does NSS allow using generated DH

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thanks. After the changes, most things seem to be in order. I see two orange flags though: Secure Client-Initiated Renegotiation*Supported* *DoS DANGER* (more info )Session resumption

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks. After the changes, most things seem to be in order. I see two > orange flags though: > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > info >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Thu, Nov 05, 2015 at 11:52:32PM -0500, Rob Crittenden wrote: > Prasun Gera wrote: > > Thanks. After the changes, most things seem to be in order. I see two > > orange flags though: > > > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > > info > >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Yes, that's what I was planning to do. i.e. Convert cipher names from > SSL to NSS. I wasn't sure about the other settings though. Is there an > equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there > equivalent configs for HSTS on the mozilla page? Does NSS

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote: > I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm > using a stock configuration which uses the certs signed by ipa's CA for the > webui. This is mostly for convenience since it manages renewals seamlessly. >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks for the ticket information. I would still be interested in > configuring mod_nss properly (irrespective of whether the certs are ipa > generated or 3rd party). These are the worrying notes from ssllabs test: > > The server supports only older protocols, but not the