Find new TLS certificate vendor #4327
Comments
From Wikipedia:
|
Good catch, @clone1018. Here is Google's announcement (3+ months ago). |
@whit537 One thing to remember, if migration is the solution CloudFlare does offer SSL |
Migration is clearly the solution. StartSSL is hosed. |
A dedicated SSL certificate on Cloudflare costs 5$ a month. |
Re: Cloudflare: gratipay/inside.gratipay.com#957. |
Also: https://letsencrypt.org/. |
I've used LetsEncrypt and it was very nice. I wonder if there's a stigma to using a free SSL provider for a payment website |
SNI should be fine from a browser support pov:
|
I think Let's Encrypt has a good reputation. No? |
I think the stigma is "You're a payment provider but you can't even afford a real secure cert?". I personally don't have an issue with it but I've heard that before. |
Alright, I think the lowest-hanging fruit here is Let's Encrypt + Heroku SSL. We should probably take the $20/mo we'll save at Heroku and donate it to Let's Encrypt. |
Would that help address the "can't even afford" issue, @clone1018? |
In my opinion, Let's Encrypt is perfectly fine. |
Sooooo ... $10/mo donation? |
It's a Python app! :-)
|
Okay, I guess this is the way:
|
P.S. We were only a month away from cert expiration anyway. |
Doc to revise: http://inside.gratipay.com/howto/install-an-ssl-certificate. |
I'm actually not too sad to be removing "Search 'startssl attempted phone call' in my personal Gmail" from our documentation. |
https://certbot.eff.org/docs/using.html#renewing-certificates That's gonna be a shift for us. |
I guess we should go ahead and drop |
I'm putting together a config file that we can store and reuse. |
Renew with each payday :D? |
@clone1018 Hehe. :-) Or maybe once a month, as part of payday duties? |
Sorting through domain verification ... looks like there are a number of options. DNS would be the easiest, but afaict |
A clue! certbot/certbot#4153 |
Actually, I think HTTP validation will be easier month-to-month than DNS validation. It'll be easier for us to update some config vars at Heroku than to modify DNS. |
Can we enforce HTTPS though? |
And will we get a single token/authorization for each domain (good), or different for each (bad)? |
Because if we get a single pair for each domain, then that's fairly straightforward to store in Heroku config. If it's different for each domain then we may even want to put this in a dashboard page. |
This looks to me like it's different for each domain:
That's at https://github.com/certbot/certbot/blob/v0.11.1/certbot/plugins/manual.py#L112. |
Yeah, they're different. Okay!
|
And do challenges survive redirects? Because we canonicalize domains before we hit simplates. |
I'm trying to hit the place where it seems like the challenge is issued. But I'm not able to yet. If it's a |
This is so skunkerific. 😩 |
It appears that
|
Okay, I realized that I had to confirm all six domains before
|
Alright, the way the protocol works appears to be that we never directly hit http://gratipay.com/.well-known/acme-challenge/deadbeef from the client. My hunch is that that only ever happens on the server side, with the result communicated back to the client somehow for error reporting.
|
Yeah, here it is:
|
Alright, well, I guess that's enough to go on. The server-side (which I think is open source and written in Go?) appears to follow redirects. 👍 |
Okay! So let's build an admin capability to set verification token/authorization pairs per domain. |
PR in #4331 ... will return here in a bit for the certbot side. |
I just accidentally closed Chrome, and means that it updated when I reopened. I'm now on Chrome 56, but gratipay.com is still green for me. |
We also need to account for |
Moving to gratipay/inside.gratipay.com#1005 for the certbot side. Leaving this open to drive the deploy. |
Alright, once #4333 is out we should be ready to roll. I think we should go in order of increasing risk:
|
Actually, let's go with gratipay/inside.gratipay.com#1005 ... |
This morning I'm getting an SSL error for Gratipay.com
I'm running Google Chrome Version 57.0.2987.21 beta (64-bit)
The text was updated successfully, but these errors were encountered: