Let's Encrypt: The Fully Transparent & Free Non-Profit Certificate Authority

Поделиться
HTML-код
  • Опубликовано: 28 ноя 2024

Комментарии • 83

  • @mt_kegan512
    @mt_kegan512 4 года назад +8

    Shedding light upon this service is almost as awesome as the service itself. Thank you Tom, the internet thanks you!

  • @ImARichard
    @ImARichard 4 года назад +8

    letsencrypt is the best. My website uses Traefik reverse proxy with automagic LetsEncrypt integration using DNS challenge. Once its set up, I don't have to think about anything. It just works.

  • @philporada5655
    @philporada5655 4 года назад +16

    If you don't like your Let's Encrypt certificate, I'll personally triple your money back.

    • @woswasdenni1914
      @woswasdenni1914 4 года назад +1

      allright ill sen you an invoice with my worktime about dealing with constant changes of the certbot and wonky integration into enterprise systems.
      and elts to not forget those million so revoked certs and the implicated damage casued by lets encrpyts fault... jsut saying for that budget that client is wonkers

    • @philporada5655
      @philporada5655 4 года назад +2

      @@woswasdenni1914 All clients are produced by the community and the primary developers of certbot are funded by the EFF. If you take issue with certbot you are more than welcome to use any of the other clients or implement your own better one that is not as you say, "wonkers". There is a nuance to the revocation issue that I believe you are missing bugzilla.mozilla.org/show_bug.cgi?id=1619179.

  • @lawrencedoliveiro9104
    @lawrencedoliveiro9104 4 года назад

    One difference worth mentioning is the info that is in the TLS cert. When you go through a conventional CA, they verify your identity (e.g. company name), and that info is shown in the cert when a user asks for details from the browser. Since Let’s Encrypt does not validate this information (or even ask for it), it can show nothing in the cert apart from your domain name. So all one of their certs is actually certifying is that the site you are connecting to is the actual owner of the domain name, nothing more or less.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  4 года назад +3

      Yes, they only do domain validation or DV certs, not EV or extended validation certs.

    • @danbrown586
      @danbrown586 4 года назад +1

      When you get a DV cert through a "conventional CA", it contains exactly the same information as a DV cert from Let's Encrypt. Only if you pay the extra expense for an OV or EV cert (which Let's Encrypt doesn't issue) does the cert have any additional information.

    • @frankyvee1
      @frankyvee1 Год назад

      He did mention this.

  • @kenrq63
    @kenrq63 4 года назад +3

    Tom, it is my understanding that the EV was originally brought in also to allow the browser address bar to change to a green background when it was on a site that had a valid EV certificate - a visual indicator to the web-site customer that it was good and not a dodgy site. The financial institution I work for spends quite a bit if time & effort assisting our customers in matters of internet security and the fact that the browser manufacturers are now moving away from highlighting an EV certificate is annoying.

    • @briancarnell
      @briancarnell 4 года назад

      EV certs are dead. The minimal advantages that EV certs have are outweighed by their disadvantages.
      Google did a study suggesting that positive indications of security (such as the green EV bar) were largely ignored by users. storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf
      There are also a bunch of other issues with EV which Troy Hunt outlined here - www.troyhunt.com/extended-validation-certificates-are-dead/
      Seems like a good idea in theory that didn't quite work out in day-to-day practice.

    • @Alan.livingston
      @Alan.livingston 4 года назад

      Ken RQ Heard a bit of discussion about this of late and it seems that research is indicating that they broadly ineffective. I can see how it would make helpdesk persons life a little easier though.

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 4 года назад

      What exactly was supposed to be “dodgy” about regular SSL/TLS certs?

    • @kenrq63
      @kenrq63 4 года назад

      @@lawrencedoliveiro9104 There was a time past before EV was a thing where people would create websites and get certificates from CAs that were not doing proper due diligence regarding ownership. The extra rigour around the EV process was supposed to mostly eliminate them.

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 4 года назад

      @@kenrq63 But it’s still those same CAs issuing the certs. What “extra” diligence were they doing that they weren’t doing before?

  • @ryangrange938
    @ryangrange938 4 года назад +11

    Love LetsEncrypt, all of my servers run their certs

  • @Bluelight82
    @Bluelight82 2 года назад

    I'm wondering.. Is it acceptable to ask you for a detailed tutorial on how to install and secure a webserver (Apache) on Linux, and also in another video how to set up let's encrypt reliable and automatic re-new cert.?

  • @lawrencedoliveiro9104
    @lawrencedoliveiro9104 4 года назад

    4:56 One problem that I’m not sure has been solved is that any CA can issue a cert for any domain. Thus, one dodgy CA can undermine the whole system by issuing bogus certs for sites that everybody uses.

    • @philporada5655
      @philporada5655 4 года назад +1

      A domain administrator can lock which CAs are allowed to issue for a domain via a CAA record. All CAs are required to check and abide by CAA records.

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 4 года назад

      @@philporada5655 How do you validate CAA records?

    • @philporada5655
      @philporada5655 4 года назад +1

      @@lawrencedoliveiro9104 This particular Boulder CA code handles CAA checking github.com/letsencrypt/boulder/blob/master/va/caa.go
      For a typical user you can run `dig CAA example.com`
      RFC 8659 has more technical information to check out. tools.ietf.org/html/rfc8659

  • @Capn_crunch69
    @Capn_crunch69 Год назад +1

    Thank you for giving me a better understanding on this

  • @leonardopinheiro6693
    @leonardopinheiro6693 4 года назад

    Lawrence,
    Today, before I watched your video, I uninstalled the ACME and the HAProxy packages from my pfSense. For days, I have tried to make them work.
    HAProxy worked very well fowarding HTTP traffic, but I could not make it foward the HTTPS traffic (even without SSL Termination and new encryption) to the backend server. It was very, very buggy.
    The ACME package worked flawlessly using a STAGING key. But did not work at all with the production key. "Authorization must be pending" apeared in the logs among other things.
    - Could you please make a complete video? I mean creating a staging key and then a final production key?
    - Could you show the creation of the staging certificate and then the creation of the final production one?
    - Could you show SSL offloading and new encryption to the backend server?
    - Could you show a complete Frontend (I tried with two) with the Lua script for Webroot local folder validation and forwarding all HTTP traffic to HTTPS? This way, only port 443 wold be open on the backend server.
    - Could you show verification (CRL) of the backend server certificate really working?
    After days, my conclusion is that both packages (HAProxy and ACME) are not in production stage. At least not in this version of pfSense.
    PS: I watched the oficial Netgate videos about both of then, and watched an entire online course on HAProxy.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  4 года назад

      I am not sure what you did wrong as they are used by a lot of companies in production, It's a great setup.

    • @leonardopinheiro6693
      @leonardopinheiro6693 4 года назад

      @@LAWRENCESYSTEMS I am aware, for example, that HAProxy is a well known tool used by many. What I meant is that those packages in pfSense are not working properly.
      But, please, by all means show in your videos how it is done the right way.
      If you could show in your videos the answers to my questions, I would be thankful.

  • @justinbrash7626
    @justinbrash7626 4 года назад +1

    Great video, thanks. I had heard of Let's Encrypt before but didn't look into it until I saw your video. I self host a couple of webapps from my home server and have now replaced my GoDaddy cert with a Let's Encrypt cert. Was super easy to setup and free. No brainer.

  • @gusevening4910
    @gusevening4910 4 года назад

    many isp's block port 80 for residential connections. So if that's the case, you won't be able to use Let's Encrypt

  • @berndeckenfels
    @berndeckenfels 4 года назад

    I would not call a DV CA which has not used multiple perspectives for a long time "abzulotsende secure", it's more minimum acceptable security. If you control the clients it's good to add some extra protection like certificate pinning and monitor the CT logs closely as CAA record seems not to be honored in terms of letsencrypt accounts. (Issuer Account Tag)

  • @MichaelNazzario
    @MichaelNazzario 4 года назад +1

    What do you use for an internal PKI environment? Offline root CA, HSM? Any recommendations for a homelab/small business?

  • @mikeoreilly4020
    @mikeoreilly4020 3 года назад

    I watch so many of your videos if they're not t completely over my head. It just amazes me how fast your mind and your mouth work in concert. I have to wonder just how your employees can keep up with you once you get going. LOL. Sometimes, when I really want to get something, I'll set the speed to 75% so I can get it all. That's pretty funny too, because it makes you sound like you've had a 3 martini lunch.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      I do talk faster in person and much faster in my head.

  • @DestructiveBurn
    @DestructiveBurn 4 года назад

    6:05 Unless it's Godaddy, they charge an arm and a leg and everything in your pocket to give you SSL. I get mine from Cloudflare.

  • @berndeckenfels
    @berndeckenfels 4 года назад +1

    Even worse than "lots of sniffing" where Internet- and Mobile Providers who injected tracking cookies and scripts or advertising. You really do your users a service if you offer only HTTPs, even on public and non-sensitive sites. (Not to mention you get Google SEO Charma)

  • @ygtntxrf
    @ygtntxrf 4 года назад +1

    Big thanks to Lawrence and hello from Moscow '-)

  • @andljoy
    @andljoy 4 года назад +1

    Use it on unifi controller and unifi video. Going to set it up on 3CX soon ( its used by default for none custom domains ) . No reason to noe use https nowadays. It should be the default. Honestly, should just phase out none https.

  • @andersgjerlw9636
    @andersgjerlw9636 4 года назад +2

    Would the LetsEncrypt be something I could use home when learning about AD CA on server 2016?
    or is this just for Linux?

    • @RK-ly5qj
      @RK-ly5qj 4 года назад

      Nope. They they dont provide CAs

    • @kjeldschouten-lebbing6260
      @kjeldschouten-lebbing6260 4 года назад +1

      I personally run a CA on my router (OPNSense)...
      (well, the CA on multiple encrypted storage media, offline somewhere i''m not going to discuss.... the Intermediate CA is on the router ;) )
      I have 3 groups of certificate using services:
      - User facing but local -> Letsencrypt directly
      - User facing but with internet access -> Router maintains the Letsencrypt certificate and reverse proxy, Between Router and Service Local Certificates get used
      - Non-user facing -> Uses local certificates only.

  • @DanCalloway
    @DanCalloway 4 года назад +1

    Super coverage on this. I will be looking into Let's Encrypt since I just purchase a domain for my LAN.

    • @woswasdenni1914
      @woswasdenni1914 4 года назад

      well your signing server needs to be reachable from the public also its domain name.
      for lans its better to run your own cert authority. on a windows network you can automatically establish trust to your own organisation via active directly and roll out all certs via policys. publci certs are only needed for 3rd party trust

  • @lawrencedoliveiro9104
    @lawrencedoliveiro9104 4 года назад

    8:12 Certs are not normally tied to IP addresses. Not sure if Let’s Encrypt even allows that.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  4 года назад

      yes, SSL is tied to the domain name, not the public IP address. My point was that if you make changes your system, it is easy to re-issues certs.

  • @SyberPrepper
    @SyberPrepper 4 года назад +1

    This clears up a lot. Thanks Tom!

  • @AvengeTheTECH
    @AvengeTheTECH 4 года назад

    I'm trying to find out how to extend beyond 10 ssl certificates. First 10 are free but beyond that I'm at a lose. I don't mind paying for that luxury. Any ideas??

    • @philporada5655
      @philporada5655 4 года назад

      Please explain what you mean by the first 10 certificates are free. All of our certificates have been and will continue to always be free. Are you perhaps conflating this with the rate limits? letsencrypt.org/docs/rate-limits/

  • @jeffherdzina6716
    @jeffherdzina6716 4 года назад

    Could you use this to replace Cisco ASA or Routers expired certs, Or would you ?

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 4 года назад +1

      Why do they have certs?

    • @philporada5655
      @philporada5655 4 года назад +2

      I would try to limit the exposure to the Cisco ASA/router login page to a set of known IP addresses. That being said I see nothing wrong with regenerating a self signed cert on those devices for the login page.

  • @AndrewJamison79
    @AndrewJamison79 4 года назад

    Only issue I have had is when my certs expire through my hosting provider they do not seem to auto-renew at least not that I can see not sure why

    • @philporada5655
      @philporada5655 4 года назад

      Who is your hosting provider? Come on over to our community forum at community.letsencrypt.org and we'll help you get sorted out.

  • @смайликдракон
    @смайликдракон 4 года назад

    Thank you Tom, how to get a certificate for FreeNas? Can you release the next videos on this subject?

    • @danbrown586
      @danbrown586 4 года назад

      The best way I know to get a cert for FreeNAS is the guide I posted here: forum.freenas-community.org/t/lets-encrypt-with-freenas-11-1-and-later/28 It's been working well for me for a couple of years. FreeNAS 11.3 has added support for DNS validation to obtain and renew the certs automatically, but only with Route53 DNS--hopefully they'll be adding compatibility with more providers in the near future.

  • @catdog12387
    @catdog12387 3 года назад

    Thanks for the great video Tom! I understand Google tends to keep their 'secret sauce'... well, secret... but do you have a sense of if/how having an EV or OV certificate might help with your Google Search results on a small e-commerce* site? *the site doesn't process transactions itself

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад +2

      Nope, I don't know of any weight having those certs ad to your SEO position.

  • @HeliBrent
    @HeliBrent 4 года назад +1

    Great topic and content, thanks Tom!

  • @philipbrindle867
    @philipbrindle867 4 года назад +1

    Very informative video, thanks so much...

  • @Vikingza
    @Vikingza 4 года назад

    Could you please do a video showing how you would enable LetsEncrypt on a Unifi Cloud key with a dyndns FQDN. Thank you

  • @mondskiez309
    @mondskiez309 4 года назад +1

    Woohoo.. my 2 pihole servers, unifi controller and wordpress sites are all domain validated by letsencrypt.. works like clockwork..

    • @woswasdenni1914
      @woswasdenni1914 4 года назад

      only works where the software offers you a direct integration into letsencrpt. like plesk does.
      if you wanna or need to run on a regular webserver or a software that only indirectly supports it liek zimbra youre in a world of pain

  • @andymok7945
    @andymok7945 4 года назад +1

    Hi Tom. Looking forward for the up coming videos. Would love to have certs for my home network setup. Many thanks.

    • @denzilhoff6026
      @denzilhoff6026 4 года назад +1

      Smallstep (smallstep.com/) provides an opensource acme protocol server amongst all its other features. It allows you to stand up the same infrastructure as shown here within your local network.

    • @denzilhoff6026
      @denzilhoff6026 4 года назад

      Alternatively there is plenty of information available documenting how to use pfSense to get legitimate lets-encrypt certificates for your internal devices in an automated way.

    • @andymok7945
      @andymok7945 4 года назад

      @@Q-BertASU98 Thanks, will look into it. Later on I might want to get access from public network.

    • @andymok7945
      @andymok7945 4 года назад

      @@denzilhoff6026 Thanks.

  • @KebraderaPumper
    @KebraderaPumper 4 года назад

    Lawrence freenas is good with acting like a CA ?

  • @tbkalldayok
    @tbkalldayok 4 года назад +1

    Good stuff.

  • @RolZuela
    @RolZuela 4 года назад

    This made me think... is there an open source/free 2FA solution?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  4 года назад

      Yes, TOTP is an open standard ruclips.net/video/jxxtVzVLm3c/видео.html

  • @wanTANdan
    @wanTANdan 2 года назад

    sea doggo 🐿️🤣

  • @mirceaprodanduke2007
    @mirceaprodanduke2007 Год назад

    A piece of crap. It destroyed my website..

  • @RK-ly5qj
    @RK-ly5qj 4 года назад +1

    Im curious if i could get ssl cert for my ddns name like stomething.ddns.net

    • @daniel_2
      @daniel_2 4 года назад

      Why not?

    • @yfs9035
      @yfs9035 4 года назад

      @@daniel_2 Because your DDNS could be found online registry

  • @miamimercenary
    @miamimercenary 4 года назад +1

    hate to burst your bubble but the government sees your traffic from the core before the ISP

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  4 года назад +6

      No worries, you're a vague statement didn't change my understanding of how technology works. ;)

    • @Alan.livingston
      @Alan.livingston 4 года назад +2

      But they hacked THE CORE, man. BGP is just a protocol that tells your packets how to get to THE CORE. The internet is like an Apple because apples have THE CORE too...... ALIENS!