The DNS-01 challenge is more difficult to automate than HTTP-01, requiring that your DNS provider supply an API for managing your DNS records. //

there are several circumstances where you might choose DNS-01 over HTTP-01:

• If your domain has more that one web server, you will not have to manage challenge files on multiple servers.
• DNS-01 can be used even if port 80 is blocked on your web server.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit and it’s been a huge change to the whole industry. Now, when everyone has adopted the idea of free SSL certificates, the logical evolution step is at hand — managed certificates. What are the options across major cloud providers?

Simplest Guide for Squid SSL Bumping //

“📢 Reader Alert❗If you are using an uncapped Internet package, probably this might not be your cup of tea ☕️…”
If you are still interested, hold my beer 🍺 I am going to tell you how to save your data ( and ofcourse money ! 💰). Your savings are proportional to your repeatable web behavior.

One thing that ultimately allowed the impact of this event to be greatly reduced is that Android devices do not check the expiration date of the Root CA Certificate when establishing trust in the certificate chain... This means that it is still possible to anchor on the expired IdenTrust Root CA, and those Android devices would work, //

The 'New Default Chain' still ultimately anchors on the IdenTrust Root CA, meaning compatibility with Android devices that won't check the expiration date, but it passes through the new Let's Encrypt ISRG Root X1 CA which more modern clients will have in their trust store. This means those modern clients will stop the chain there and accept it as trusted too. Win-win. //

One interesting side effect of this though is that you can then modify the Root Certificates in the trust store and because no signature validation is taking place, meaning no integrity check is taking place, the modified Root Certificate will be treated as perfectly valid. This is the part that I'd never thought about. //

When first thinking about this issue, I felt a little bit like I did when I first found out, all those years ago, about signatures not being validated on roots and how that seemed ridiculous. Once you think about this more though, you realise that it does make sense and that it just doesn't seem logical upon first thought. In order to make this change and it actually have an effect on the client, you need to have access to that client with administrative privileges to change the root store. If your concern is that an attacker might do something like this, well, I'd suggest you have far bigger issues to concern yourself with given that the attacker has admin/root and is on your device!

Well, the Internet Apocalypse came and went! Due to the recent expiration of the Let's Encrypt intermediate and root certificates, I saw more widespread issues than I was expecting, but on different devices and for different reasons than I thought. Let's take a look at what happened and why. //

many people look at that and think how can it be so fragile or so simple to totally break stuff?

One thing that's certain is that this event is coming again. Over the next few years we're going to see a wide selection of Root Certificates expiring for all of the major CAs and we're likely to keep experiencing the exact same issues unless something changes in the wider ecosystem. //

https://expired-r3-test.scotthelme.co.uk/

On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

There are hundreds of publicly trusted Certificate Authorities and a subset of those implement a specification for certificate request/renewal called ACME (Automatic Certificate Management Environment) https://datatracker.ietf.org/doc/html/rfc8555 (ACME v2). Anyone can create (and use) a new certificate authority but only recognised CAs which can prove they follow strict issuance guidelines become generally trusted. You can, for instance, create your own ACME certificate authority and trust it within your organisation, but it won't be trusted by computers outside your organisation.

As more public certificate authorities hop on the ACME bandwagon, it is important to understand the details and limitations of their implementations. This page will attempt to keep track of that data.

Don’t have an SSL Certificate? Google is going to flag your website this year!

We turn to the internet for everything. From selling to buying,

With this dominating trend, online security has become a necessity.

Undoubtedly, Google loves its users and therefore, is coming up with every possible way to make us feel secure here on the internet.

With its recent announcement, earlier this year, Google will flag all the unencrypted internet by the end of 2017.

What?

This website is for when you try to open Facebook, Google, Amazon, etc on a wifi network, and nothing happens. Type "http://neverssl.com" into your browser's url bar, and you'll be able to log on.

Why?

Normally, that's a bad idea. You should always use SSL and secure encryption when possible. In fact, it's such a bad idea that most websites are now using https by default.

And that's great, but it also means that if you're relying on poorly-behaved wifi networks, it can be hard to get online. Secure browsers and websites using https make it impossible for those wifi networks to send you to a login or payment page. Basically, those networks can't tap into your connection just like attackers can't. Modern browsers are so good that they can remember when a website supports encryption and even if you type in the website name, they'll use https.

And if the network never redirects you to this page, well as you can see, you're not missing much.

HTTPS is now free, easy and increasingly ubiquitous. It's also now required if you don't want Google Chrome flagging the site as "Not secure". Yet still, many of the world's largest websites continue to serve content over unencrypted connections, putting users at risk even when no sensitive data is involved.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

As it turns out, the problem is that Dovecot—which handles IMAP duties on the server—doesn’t notice when the certificate has been updated on disk; it will cheerfully keep using an in-memory cached copy of whatever certificate was present when the service started until time immemorial. //

I created a new root cron job to restart Dovecot once every Sunday at midnight:

# m h dom mon dow   command
0 0 *   *   Sun   /etc/init.d/dovecot restart

Since Certbot renews any certificate with 30 days or less until expiration, and the Sunday restart will pick up new certificates within 7 days of their deployment, we should be fine with this simple brute-force approach