Let's Encrypt: The Fully Transparent & Free Non-Profit Certificate Authority
Vložit
- čas přidán 28. 02. 2020
- Amazon Affiliate Store
➡️ www.amazon.com/shop/lawrences...
Gear we used on Kit (affiliate Links)
➡️ kit.co/lawrencesystems
Try ITProTV free of charge and get 30% off!
➡️ go.itpro.tv/lts
Use OfferCode LTSERVICES to get 5% off your order at
➡️ lawrence.video/techsupplydirect
Tesla Referral Program Offer
🚘 www.tesla.com/referral/thomas...
Lawrence Systems Shirts and Swag
👕 teespring.com/stores/lawrence...
Digital Ocean Offer Code
➡️ m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
➡️ hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
➡️ www.privateinternetaccess.com...
Google Fi Service Referral Code
📱g.co/fi/r/TA02XR
More Of Our Affiliates that help us out and can get you discounts!
➡️ www.lawrencesystems.com/partn...
Twitter
🐦 / tomlawrencetech
Patreon
🔗 / lawrencesystems
Our Forums
🔗 forums.lawrencesystems.com/
GitHub
🔗 github.com/lawrencesystems/
Discord
🔗 / discord
Our Web Site
🔗 www.lawrencesystems.com/
Let's Encrypt Has Issued a Billion Certificates
letsencrypt.org/2020/02/27/on...
How Let's Encrypt Runs CT Logs
letsencrypt.org/2019/11/20/ho... - Věda a technologie
Shedding light upon this service is almost as awesome as the service itself. Thank you Tom, the internet thanks you!
Great video, thanks. I had heard of Let's Encrypt before but didn't look into it until I saw your video. I self host a couple of webapps from my home server and have now replaced my GoDaddy cert with a Let's Encrypt cert. Was super easy to setup and free. No brainer.
This clears up a lot. Thanks Tom!
Love LetsEncrypt, all of my servers run their certs
Thank you for giving me a better understanding on this
letsencrypt is the best. My website uses Traefik reverse proxy with automagic LetsEncrypt integration using DNS challenge. Once its set up, I don't have to think about anything. It just works.
Cool, ill see if i can find a guide for that.
Super coverage on this. I will be looking into Let's Encrypt since I just purchase a domain for my LAN.
well your signing server needs to be reachable from the public also its domain name.
for lans its better to run your own cert authority. on a windows network you can automatically establish trust to your own organisation via active directly and roll out all certs via policys. publci certs are only needed for 3rd party trust
Great topic and content, thanks Tom!
Big thanks to Lawrence and hello from Moscow '-)
Very informative video, thanks so much...
What do you use for an internal PKI environment? Offline root CA, HSM? Any recommendations for a homelab/small business?
Check out smallstep.
6:05 Unless it's Godaddy, they charge an arm and a leg and everything in your pocket to give you SSL. I get mine from Cloudflare.
One difference worth mentioning is the info that is in the TLS cert. When you go through a conventional CA, they verify your identity (e.g. company name), and that info is shown in the cert when a user asks for details from the browser. Since Let’s Encrypt does not validate this information (or even ask for it), it can show nothing in the cert apart from your domain name. So all one of their certs is actually certifying is that the site you are connecting to is the actual owner of the domain name, nothing more or less.
Yes, they only do domain validation or DV certs, not EV or extended validation certs.
When you get a DV cert through a "conventional CA", it contains exactly the same information as a DV cert from Let's Encrypt. Only if you pay the extra expense for an OV or EV cert (which Let's Encrypt doesn't issue) does the cert have any additional information.
He did mention this.
I'm wondering.. Is it acceptable to ask you for a detailed tutorial on how to install and secure a webserver (Apache) on Linux, and also in another video how to set up let's encrypt reliable and automatic re-new cert.?
I would not call a DV CA which has not used multiple perspectives for a long time "abzulotsende secure", it's more minimum acceptable security. If you control the clients it's good to add some extra protection like certificate pinning and monitor the CT logs closely as CAA record seems not to be honored in terms of letsencrypt accounts. (Issuer Account Tag)
If you don't like your Let's Encrypt certificate, I'll personally triple your money back.
allright ill sen you an invoice with my worktime about dealing with constant changes of the certbot and wonky integration into enterprise systems.
and elts to not forget those million so revoked certs and the implicated damage casued by lets encrpyts fault... jsut saying for that budget that client is wonkers
@@woswasdenni1914 All clients are produced by the community and the primary developers of certbot are funded by the EFF. If you take issue with certbot you are more than welcome to use any of the other clients or implement your own better one that is not as you say, "wonkers". There is a nuance to the revocation issue that I believe you are missing bugzilla.mozilla.org/show_bug.cgi?id=1619179.
Tom, it is my understanding that the EV was originally brought in also to allow the browser address bar to change to a green background when it was on a site that had a valid EV certificate - a visual indicator to the web-site customer that it was good and not a dodgy site. The financial institution I work for spends quite a bit if time & effort assisting our customers in matters of internet security and the fact that the browser manufacturers are now moving away from highlighting an EV certificate is annoying.
EV certs are dead. The minimal advantages that EV certs have are outweighed by their disadvantages.
Google did a study suggesting that positive indications of security (such as the green EV bar) were largely ignored by users. storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf
There are also a bunch of other issues with EV which Troy Hunt outlined here - www.troyhunt.com/extended-validation-certificates-are-dead/
Seems like a good idea in theory that didn't quite work out in day-to-day practice.
Ken RQ Heard a bit of discussion about this of late and it seems that research is indicating that they broadly ineffective. I can see how it would make helpdesk persons life a little easier though.
What exactly was supposed to be “dodgy” about regular SSL/TLS certs?
@@lawrencedoliveiro9104 There was a time past before EV was a thing where people would create websites and get certificates from CAs that were not doing proper due diligence regarding ownership. The extra rigour around the EV process was supposed to mostly eliminate them.
@@kenrq63 But it’s still those same CAs issuing the certs. What “extra” diligence were they doing that they weren’t doing before?
Lawrence,
Today, before I watched your video, I uninstalled the ACME and the HAProxy packages from my pfSense. For days, I have tried to make them work.
HAProxy worked very well fowarding HTTP traffic, but I could not make it foward the HTTPS traffic (even without SSL Termination and new encryption) to the backend server. It was very, very buggy.
The ACME package worked flawlessly using a STAGING key. But did not work at all with the production key. "Authorization must be pending" apeared in the logs among other things.
- Could you please make a complete video? I mean creating a staging key and then a final production key?
- Could you show the creation of the staging certificate and then the creation of the final production one?
- Could you show SSL offloading and new encryption to the backend server?
- Could you show a complete Frontend (I tried with two) with the Lua script for Webroot local folder validation and forwarding all HTTP traffic to HTTPS? This way, only port 443 wold be open on the backend server.
- Could you show verification (CRL) of the backend server certificate really working?
After days, my conclusion is that both packages (HAProxy and ACME) are not in production stage. At least not in this version of pfSense.
PS: I watched the oficial Netgate videos about both of then, and watched an entire online course on HAProxy.
I am not sure what you did wrong as they are used by a lot of companies in production, It's a great setup.
@@LAWRENCESYSTEMS I am aware, for example, that HAProxy is a well known tool used by many. What I meant is that those packages in pfSense are not working properly.
But, please, by all means show in your videos how it is done the right way.
If you could show in your videos the answers to my questions, I would be thankful.
I watch so many of your videos if they're not t completely over my head. It just amazes me how fast your mind and your mouth work in concert. I have to wonder just how your employees can keep up with you once you get going. LOL. Sometimes, when I really want to get something, I'll set the speed to 75% so I can get it all. That's pretty funny too, because it makes you sound like you've had a 3 martini lunch.
I do talk faster in person and much faster in my head.
Hi Tom. Looking forward for the up coming videos. Would love to have certs for my home network setup. Many thanks.
Smallstep (smallstep.com/) provides an opensource acme protocol server amongst all its other features. It allows you to stand up the same infrastructure as shown here within your local network.
Alternatively there is plenty of information available documenting how to use pfSense to get legitimate lets-encrypt certificates for your internal devices in an automated way.
@@Q-BertASU98 Thanks, will look into it. Later on I might want to get access from public network.
@@denzilhoff6026 Thanks.
many isp's block port 80 for residential connections. So if that's the case, you won't be able to use Let's Encrypt
Use it on unifi controller and unifi video. Going to set it up on 3CX soon ( its used by default for none custom domains ) . No reason to noe use https nowadays. It should be the default. Honestly, should just phase out none https.
Thank you Tom, how to get a certificate for FreeNas? Can you release the next videos on this subject?
The best way I know to get a cert for FreeNAS is the guide I posted here: forum.freenas-community.org/t/lets-encrypt-with-freenas-11-1-and-later/28 It's been working well for me for a couple of years. FreeNAS 11.3 has added support for DNS validation to obtain and renew the certs automatically, but only with Route53 DNS--hopefully they'll be adding compatibility with more providers in the near future.
Only issue I have had is when my certs expire through my hosting provider they do not seem to auto-renew at least not that I can see not sure why
Who is your hosting provider? Come on over to our community forum at community.letsencrypt.org and we'll help you get sorted out.
Thanks for the great video Tom! I understand Google tends to keep their 'secret sauce'... well, secret... but do you have a sense of if/how having an EV or OV certificate might help with your Google Search results on a small e-commerce* site? *the site doesn't process transactions itself
Nope, I don't know of any weight having those certs ad to your SEO position.
Could you please do a video showing how you would enable LetsEncrypt on a Unifi Cloud key with a dyndns FQDN. Thank you
To my knowledge it's not supported.
8:12 Certs are not normally tied to IP addresses. Not sure if Let’s Encrypt even allows that.
yes, SSL is tied to the domain name, not the public IP address. My point was that if you make changes your system, it is easy to re-issues certs.
I'm trying to find out how to extend beyond 10 ssl certificates. First 10 are free but beyond that I'm at a lose. I don't mind paying for that luxury. Any ideas??
Please explain what you mean by the first 10 certificates are free. All of our certificates have been and will continue to always be free. Are you perhaps conflating this with the rate limits? letsencrypt.org/docs/rate-limits/
Good stuff.
Could you use this to replace Cisco ASA or Routers expired certs, Or would you ?
Why do they have certs?
I would try to limit the exposure to the Cisco ASA/router login page to a set of known IP addresses. That being said I see nothing wrong with regenerating a self signed cert on those devices for the login page.
4:56 One problem that I’m not sure has been solved is that any CA can issue a cert for any domain. Thus, one dodgy CA can undermine the whole system by issuing bogus certs for sites that everybody uses.
A domain administrator can lock which CAs are allowed to issue for a domain via a CAA record. All CAs are required to check and abide by CAA records.
@@philporada5655 How do you validate CAA records?
@@lawrencedoliveiro9104 This particular Boulder CA code handles CAA checking github.com/letsencrypt/boulder/blob/master/va/caa.go
For a typical user you can run `dig CAA example.com`
RFC 8659 has more technical information to check out. tools.ietf.org/html/rfc8659
Would the LetsEncrypt be something I could use home when learning about AD CA on server 2016?
or is this just for Linux?
Nope. They they dont provide CAs
I personally run a CA on my router (OPNSense)...
(well, the CA on multiple encrypted storage media, offline somewhere i''m not going to discuss.... the Intermediate CA is on the router ;) )
I have 3 groups of certificate using services:
- User facing but local -> Letsencrypt directly
- User facing but with internet access -> Router maintains the Letsencrypt certificate and reverse proxy, Between Router and Service Local Certificates get used
- Non-user facing -> Uses local certificates only.
Even worse than "lots of sniffing" where Internet- and Mobile Providers who injected tracking cookies and scripts or advertising. You really do your users a service if you offer only HTTPs, even on public and non-sensitive sites. (Not to mention you get Google SEO Charma)
Woohoo.. my 2 pihole servers, unifi controller and wordpress sites are all domain validated by letsencrypt.. works like clockwork..
only works where the software offers you a direct integration into letsencrpt. like plesk does.
if you wanna or need to run on a regular webserver or a software that only indirectly supports it liek zimbra youre in a world of pain
Lawrence freenas is good with acting like a CA ?
sea doggo 🐿️🤣
This made me think... is there an open source/free 2FA solution?
Yes, TOTP is an open standard czcams.com/video/jxxtVzVLm3c/video.html
A piece of crap. It destroyed my website..
Im curious if i could get ssl cert for my ddns name like stomething.ddns.net
Why not?
@@daniel_2 Because your DDNS could be found online registry
hate to burst your bubble but the government sees your traffic from the core before the ISP
No worries, you're a vague statement didn't change my understanding of how technology works. ;)
But they hacked THE CORE, man. BGP is just a protocol that tells your packets how to get to THE CORE. The internet is like an Apple because apples have THE CORE too...... ALIENS!