Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move site away from StartSSL certificate #13

Closed
TPS opened this issue Sep 29, 2016 · 8 comments
Closed

Move site away from StartSSL certificate #13

TPS opened this issue Sep 29, 2016 · 8 comments

Comments

@TPS
Copy link

TPS commented Sep 29, 2016

@galadhremmin In preparation for Mozilla's reported proposed removal of WoSign & StartSSL, I disabled those roots in my browser. When I re-opened Parf Edhellen, it turns out that you use StartSSL!

Maybe you want to migrate to Let's Encrypt or something more reputable?

@galadhremmin
Copy link
Owner

Hi @TPS! Thank you for informing me about this issue. I just learned about this myself today through the podcast Security Now. I will be looking into changing the certificate next week.

@galadhremmin
Copy link
Owner

ElfDict's host doesn't seem to support Let's Encrypt. I've sent a message to my host, asking if it's possible to implement this in the future. I can't manually generate certificates for ElfDict as their life time is only 90 days.

@TPS
Copy link
Author

TPS commented Oct 12, 2016

It turns out that you may not have to, because of updates in the last ~48 hours.… I'm sure SG will be covering it soon, but the latest is that StartSSL is reorganizing under different ownership in hopes of saving the brand. Iff the implemented changes are acceptable to the security community (a _HUGE_ iff), they'll invalidate all old certs & reissue new 1s under the new secure architecture. For now, it may be sufficient for you just to drop the cert/HSTS & go HTTP for a little bit, while waiting for a new cert.

@TPS
Copy link
Author

TPS commented Oct 12, 2016

Also, does something like Netlify work for you?

@galadhremmin
Copy link
Owner

My host is working with Symantic to implement a similar solution (https://www.symantec.com/theme/encryption-everywhere) but it won't be ready until next year. So in light of this, I've generated a 90-day certificate using Let's Encrypt, and working on convincing my host to install it for my site. The discussions are still ongoing.

@galadhremmin
Copy link
Owner

I've fixed it by transitioning to Amazon Lightsail! Thank you for the feedback @TPS !

@TPS
Copy link
Author

TPS commented Feb 12, 2017

@galadhremmin Fantastic result on SSLTest, too, other than a currently-minor quibble about DNS CAA: No, which you'd hafta take up w/ Lightsail, if you choose.

Congrats!

@galadhremmin
Copy link
Owner

@TPS I reached out to FSData which still manages my domain names, and their DNS unfortunately does not support this feature yet. I'll see what I can do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants