Distrusting StartCom Certificates #98
Comments
|
Chrome M57 just started rolling out to the stable channel. This breaks our Hub certificate for both the Hub and Firefly (which uses the Hub API). |
|
Henry Lim reported this via Twitter: https://twitter.com/henrylim96/status/842752355477078018?cn=cmVwbHk%3D&refsrc=email |
|
We just got the StartSSL certificate on September 9th as part of #91 and it's already useless :( |
|
I think that I’m just going to take @aleborba up on his offer and get a valid, paid, wildcard cert for gdgx.io from GoDaddy.com. Wildcard is $300 per year, but the proper level of security that we should have is actually the $400 per year level. Ugh. Not cheap. Other option is separate certificates for hub.gdgx.io and api.gdgx.io for $70 per year and more hassle if we want to add chat.gdgx.io or www.gdgx.io again. Unfortunately Let’s Encrypt is not yet well supported in GCP (work in progress). |
|
I saw GAE's issue for LetsEncrypt being assigned to someone today. Though it might be a while before that is out even in beta. Why not host on GCE until then? I would have suggested k8s but using a cluster would be too much as of now. |
|
You are suggesting that we continue to host on GCE now so that we can use Let's Encrypt? That would require manually refreshing the certificate every 15-30 days which isn't possible due to my availability being very low atm. |
|
haha Should have looked at issues queues earlier. If it's on GCE, I can setup Let'sEncrypt cert there. Let's take this to hangouts and discuss there. |
|
If we can generate the cert there and then use it on App Engine then that would buy us 30 days. But I really want to get the Hub off of GCE ASAP due to a number of reasons related to higher maintenance time/cost. |
|
Hmm.. I am taking a look into project and will try to streamline any such issue. If you could add me to the project (on google cloud) I can start on it right now. |
|
Setup CloudFlare for a temporary solution, but it's not working so far... Hub is offline due to DNS. |
|
CloudFlare doesn't seem to work well with the way that GCP and Google Domains do things. It broke a ton of stuff and didn't provide any value at all. I've paused it and moved the Google Domains DNS back to Google Nameservers. |
|
GlobalSign never did get back to me after weeks of asking and them promising me that they would send over the free cert for open source. Since I haven't heard back from Ale, I just requested a free cert from GoDaddy for open source again. Hopefully they are more responsive. Last time their cert worked great for a year. |
|
@Splaktar I can setup LetsEncrypt faster than that. |
|
@VikramTiwari @Splaktar +1 LetsEncrypt |
|
Hub is up on HTTPs with LetsEncrypt Cert! Yay! :) It will also auto update the certs before they get invalidated, but if it encounters any errors, we will debug it then. @Splaktar Closing. Reopen if there's anything else we should be addressing. |
|
DNS has been updated to point directly to the single GDG-X Hub GCE instance. |
|
@VikramTiwari Thanks! I see the cert in action now. Can you please add some documentation to this issue about how you setup Let's Encrypt? I.e. if someone else had to set it up again on a new VM, do you have the steps for doing that handy? |
|
@Splaktar Sure! It's already on a different branch (feature/vikram/cleanup). If you want I can fork from current develop or master and update. Ref: https://github.com/gdg-x/hub/tree/feature/vikram/cleanup/backend/docs |
|
@VikramTiwari Great! Fork from |
|
|
The certificate for the hub has been issued by StartCom. It is still valid and it works fine, but we might have to change soon: Distrusting WoSign and StartCom Certificates
The text was updated successfully, but these errors were encountered: