Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt Takes Free “Wildcard” Certificates Live

posted by cmn32480 on Wednesday March 14 2018, @02:16PM   Printer-friendly
from the simple-cypers dept.

An Anonymous Coward writes:

Arstechnica reports

In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.

[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt Takes Free “Wildcard” Certificates Live | Log In/Create an Account | Top | 75 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by insanumingenium on Wednesday March 14 2018, @04:31PM (6 children)

    by insanumingenium (4824) on Wednesday March 14 2018, @04:31PM (#652473) Journal
    Why exactly do I need public HTTPS certs for network infrastructure? Even if you are going to use HTTPS for management, you should already have a CA, issue your own damn certs you lazy bum. Or generate some self signed certs without an internal CA and trust those certs manually. You don't want public hosts to be able to validate the cert, why would you use a public cert?

    This is horses for courses, Let's Encrypt is for simple web servers to be validated by (most) browsers. If you are such a great admin, surely you can automate the DNS authentication method for your IRC server, which is the only case you mentioned where you might actually want to use the service. But the family run coffee shop on the corner needs the bare minimum of security without hiring a overpriced and whiny hack like you.

    You are bitching about HTTPS certs for IOS routers and you think the other guy has clearly never managed network devices before, what a joke!
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 2) by Booga1 on Wednesday March 14 2018, @07:17PM (5 children)

    by Booga1 (6333) on Wednesday March 14 2018, @07:17PM (#652553)

    The certificate on the load balancers on our networks are used to present a single "host.company.com" front for our customers.
    Nobody wants to see "NAMWEB619LB01.company.com" and "EURDBS821SW01.company.com" except the admins.

    • (Score: 2) by insanumingenium on Wednesday March 14 2018, @08:22PM (4 children)

      by insanumingenium (4824) on Wednesday March 14 2018, @08:22PM (#652577) Journal
      What does that have to do with the price of tea in China?

      Just in case you have never used it and/or don't know, Let's Encrypt isn't restricted to requesting certs for your local hostname, and the certs don't have to be requested from the machine where they will be used. These things make automation easier, and automation is an explicit goal of Let's Encrypt, but they are not prerequisites, you could run Let's Encrypt on any machine you like and put the cert on both LBs. Your LBs presumably provide TLS connections to the public, which isn't the case with an IOS router, LBs make sense to have public certs on. And if you want to buy certs commercially for whatever reason, that is OK too. The part I criticized was using Let's Encrypt for nonsense scenarios.

      • (Score: 2) by Booga1 on Wednesday March 14 2018, @10:19PM (3 children)

        by Booga1 (6333) on Wednesday March 14 2018, @10:19PM (#652636)
        Well, you start off saying:

        Why exactly do I need public HTTPS certs for network infrastructure?

        I responded with an example of network infrastructure where we use certificates. And of COURSE you don't have to request from the machines that eventually use the certs because the machines that use them may have no way of doing it, much less in an automated fashion. That was the main complaint after all. Not that it changes much for any other issuing certificate authority(even the one run by the company I work at). As for Cisco IOS, I've no direct experience with it(the stuff here is by F5). With a quick search it seems IOS does indeed support some use of certificates: Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 3S [cisco.com]
        A router that also performs load balancing seems to be a standard feature for them. Not sure if it's similar to the F5 stuff we use, but here's this:

        • (Score: 2) by insanumingenium on Wednesday March 14 2018, @11:17PM (2 children)

          by insanumingenium (4824) on Wednesday March 14 2018, @11:17PM (#652668) Journal
          IOS absolutely has very deeply embedded certificate and PKI support. Public traffic may pass over those devices, but you don't let the public access the management of those devices. And that was my point, you don't manage network infrastructure based on public certificates.

          As for your Cisco link, the rest of that paragraph shows that it isn't talking about load balancing in the same sense as you are thinking.

          Load balancing is a standard functionality of the Cisco IOS® router software, and is available across all router platforms. It is inherent to the forwarding process in the router and is automatically activated if the routing table has multiple paths to a destination. It is based on standard routing protocols, such as Routing Information Protocol (RIP), RIPv2, Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Interior Gateway Routing Protocol (IGRP), or derived from statically configured routes and packet forwarding mechanisms. It allows a router to use multiple paths to a destination when forwarding packets.

          • (Score: 3, Interesting) by Booga1 on Wednesday March 14 2018, @11:51PM (1 child)

            by Booga1 (6333) on Wednesday March 14 2018, @11:51PM (#652692)

            I think might see part of the disconnect. I'm not referring to managing the equipment by securing access to them via those certificates. I mean managing the certificates those devices have on them as they are used to masquarade/identify the machines behind them as the hosts specified in the certificates. Of course I can't imagine letting the public access the management of the devices. I'm not sure what scenario would someone want a publicly configurable privately owned network.

            Also, the inter-network load balancing scenarios are indeed not what I was thinking of. Using certificates from LE would indeed be silly to use for strictly internal management of network equipment. I was thinking of server traffic load balancing, but I'm not sure if they offer a combo unit that does both routing and load balancing in that particular sense.

            Anyway, I guess lack of specificity in the original complaint and how I interpreted the response is what got me started on this thread. Now that I see what you're referring to I'm pretty sure I'm in agreement with you.