social.uhoreg.ca

Let's encrypt errata

technical, work, security
10:06 -0400

Back in February, I posted about Automatic Let's Encrypt certificates on nginx. One of the scripts had a problem in that it downloaded the Let's Encrypt X1 intermediate certificate. Let's Encrypt recently switched to using their X3 intermidiate, which means that Firefox was unable to reach sites using the generated certificates, and Chrome/IE/Safari needed to make an extra download to verify the certificate.

Of course, instead of just changing the script to download the X3 certificate, it's best to automatically download the right certificate. So I whipped up a quick Python script,cert-chain-resolver-py(inspired by the Go version) that checks a certificate and downloads the other certificates in the chain.

I've updated my original blog post. The changed script is/usr/local/sbin/letsencrypt-renew, and of course you'll need to installcert-chain-resolver-py(the script expects it to be in /opt/cert-chain-resolver-py).

0 Comments

Antagonistic Co-operation


April 4, 2016

technical
10:57 -0400
Hubert Chathi: With @cloudflare.com blocking @torproject.org users, I've disabled CloudFlare on most of my sites
0 Comments
Later posts Earlier posts