undefined | Better HN

0 pointschungy6y ago0 comments

Instructions are here: https://certbot.eff.org/

I don't know how it could possibly be any simpler.

0 comments

It is simple for a one-server website. When you're on Alexa 1M, you certainly have a load balancer, multiple servers for redundancy, etc. It makes things not straightforward, and you certainly don't want to use the default certbot which overwrites your config.

MrStonedOne6y ago

I am on alexa 1m (50k even). I do not have a load balancer, I do not have multiple servers for redundancy. This isn't even a static site, most of our page views are the wiki, the server running all of this has 8 cores and 4 are constantly maxxed out by a non-website related process.

Most websites now and days are over engineered.

owl576y ago

Checked my old site's rank. ~250000. One VPS, €4/month. Mostly static, but a decent part is served with a not so light Perl CGI script (!). I'm sure I wouldn't get away with that in top 1k websites, but 1m?

uasm6y ago

> "I am on alexa 1m (50k even). I do not have a load balancer, I do not have multiple servers for redundancy. This isn't even a static site, most of our page views are the wiki, the server running all of this has 8 cores and 4 are constantly maxxed out by a non-website related process.

Most websites now and days are over engineered."

That's awesome! Mind sharing some more details? (hosting plan/CDN/etc). Or even the URL?

1 more reply

adrianN6y ago

When you're in that league you probably have expensive people who can deal with the additional complexity.

Spivak6y ago

I mean the next more complicated case isn't that bad either. You set up a sidecar VM/container/machine/whatever-you-want that either instruments your DNS or gets the traffic from .well-known/acme-challenge and just renews your certs every day.

Then your load balancers pull the current cert from the sidecar every day with NFS/Gluster/Ceph/HTTP/whatver-you-want and reload the web server if it changed.

Assuming that you can catch a failure of your sidecar server in 89 days or so you don't need much more redundancy.

kuschku6y ago

That's why you set custom NS records for _acme-challenge.domain.tld to your own NS servers and use the DNS challenge to get your certs.

certera6y ago

Shameless plug for Certera for these more complex scenarios: https://docs.certera.io

I found that the certs behind a load balancer were enough of a problem that a solution was needed.

ytch6y ago

IMHO it is easier to setup SSL on LB. you don't need to setup them one by one, all servers (HTTP, SMTP, POP, IMAP and others) protected by the same SSL certificate, cipher suite with a SSL-terminated LB. Also many LBs support auto-renewal.

onion-soup6y ago

While I appreciate the efforts of certbot to make it as user-friendly as possible I still find this state of things unforgivable. I don't know where it went wrong so that today a developer must spend time learning and tweaking a low-level encryption tools. I'm just saying https will never be 100% unless it becomes a baked-in feature of any hosting.

thenewnewguy6y ago

Developers don't need to, unless they're the ones hosting your website. In which case, yes, I expect them to be able to configure web hosting software.

hrktb6y ago

This is sadly not the case yet in many not so edge cases.

For instance Heroku still doesn't provide straightforward support for wildcard domains under SSL: https://devcenter.heroku.com/articles/understanding-ssl-on-h...

There is myriad of other cases, basically every time you diverge a bit from the 80% path, you're in for a treat and will deal with all the intricacies of SSL management.

regecks6y ago

Certbot, and most other standalone ACME clients, are just stop-gaps.

The end game is first-party support for automatic HTTPS in all web (and other) servers. It is happening (e.g. mod_md), it's just going to take time. For example, to get it packaged for all distributions.

For shared hosting, if you ignore the few providers at the top who are either CAs (e.g. GoDaddy) or are in contracts with CAs (e.g. Namecheap), the overwhelming majority of them are already providing free and automatic SSL for all hosted domains.

majewsky6y ago

> The end game is first-party support for automatic HTTPS in all web (and other) servers.

There's still a need for certbot et al when you have multiple services (e.g. web and mail and XMPP) running on a single domain name. In fact, I actively avoid servers that insist on doing ACME themselves because it breaks my unified ACME process.

kbr20006y ago

A management fad called dev-ops is what went wrong, before you could count on your sysadmin to take care of that :) Apart from that, not everything always makes sense to use in production without a good level of understanding --- and might otherwise lead to, for example, a false sense of security.

cm21876y ago

Starting with baking ACMEv2 in the major webservers (apache, IIS, etc).

Jaruzel6y ago

If Microsoft baked in Auto-cert-install in to IIS that allowed you to cherry pick a provider, and/or just select their own free CA, that'd really solve the problem for Windows based web servers. In my experience CertBot/ACME type renewal doesn't work reliably for Windows/IIS.

AnIdiotOnTheNet6y ago

What is the value in HTTPS being 100%? That seems silly to me. Many many things do not have any need for encryption.

tialaramex6y ago

Most things would benefit from encryption. Even if you don't need integrity protection, and you don't have any need of privacy, and you don't care about authenticating your peers you still want encryption because otherwise middleboxes ossify everything.

If the middlebox can't see inside your flow because it's encrypted it can't object to whatever new thing it's scared of this time whether that's HD video or a new HTML tag.

1 more reply

jbverschoor6y ago

It’s for ops. Not dev

maple31426y ago

Maybe not everyone host website on a platform where you can easily install these things.

For example, I have a simple web app hosted on Heroku free plan, and I have to use CloudFlare SSL to get it served over https on my custom domain. But it actually is half encrypted as the connection between CloudFlare and Heroku is plain http.

ridiculous_fish6y ago

Right. Another example is that you cannot use https with subdomains on GitHub Pages.

https://github.community/t5/GitHub-Pages/Does-GitHub-Pages-S...

contravariant6y ago

I'd appreciate it if the instructions explained why they need sudo, rather than explain what sudo is...

j / k navigate · click thread line to collapse

0 comments

elcomet6y ago

MrStonedOne6y ago

Most websites now and days are over engineered.

owl576y ago

uasm6y ago

Most websites now and days are over engineered."

That's awesome! Mind sharing some more details? (hosting plan/CDN/etc). Or even the URL?

1 more reply

adrianN6y ago

When you're in that league you probably have expensive people who can deal with the additional complexity.

Spivak6y ago

Then your load balancers pull the current cert from the sidecar every day with NFS/Gluster/Ceph/HTTP/whatver-you-want and reload the web server if it changed.

Assuming that you can catch a failure of your sidecar server in 89 days or so you don't need much more redundancy.

kuschku6y ago

That's why you set custom NS records for _acme-challenge.domain.tld to your own NS servers and use the DNS challenge to get your certs.

certera6y ago

Shameless plug for Certera for these more complex scenarios: https://docs.certera.io

I found that the certs behind a load balancer were enough of a problem that a solution was needed.

ytch6y ago

onion-soup6y ago

thenewnewguy6y ago

Developers don't need to, unless they're the ones hosting your website. In which case, yes, I expect them to be able to configure web hosting software.

hrktb6y ago

This is sadly not the case yet in many not so edge cases.

For instance Heroku still doesn't provide straightforward support for wildcard domains under SSL: https://devcenter.heroku.com/articles/understanding-ssl-on-h...

There is myriad of other cases, basically every time you diverge a bit from the 80% path, you're in for a treat and will deal with all the intricacies of SSL management.

regecks6y ago

Certbot, and most other standalone ACME clients, are just stop-gaps.

majewsky6y ago

> The end game is first-party support for automatic HTTPS in all web (and other) servers.

kbr20006y ago

cm21876y ago

Starting with baking ACMEv2 in the major webservers (apache, IIS, etc).

Jaruzel6y ago

AnIdiotOnTheNet6y ago

What is the value in HTTPS being 100%? That seems silly to me. Many many things do not have any need for encryption.

tialaramex6y ago

If the middlebox can't see inside your flow because it's encrypted it can't object to whatever new thing it's scared of this time whether that's HD video or a new HTML tag.

1 more reply

jbverschoor6y ago

It’s for ops. Not dev

maple31426y ago

Maybe not everyone host website on a platform where you can easily install these things.

ridiculous_fish6y ago

Right. Another example is that you cannot use https with subdomains on GitHub Pages.

https://github.community/t5/GitHub-Pages/Does-GitHub-Pages-S...

contravariant6y ago

I'd appreciate it if the instructions explained why they need sudo, rather than explain what sudo is...

j / k navigate · click thread line to collapse