Need SSL cert - What's next best?

Obsolesce

Yes, Let's Encrypt is the one to use and the one I normally use for everything, but this is for an appliance we don't have access to in order to automate certificate renewals. So what's next best? Cheap but effective, and not likely to lose trust by major web browsers like some already have.

dbeato

I have been using Namecheap
https://www.namecheap.com/security/ssl-certificates.aspx

Or Godaddy at times.

marcinozga

Can you put reverse proxy in front of that appliance and automate certs on proxy?

scottalanmiller

@marcinozga said in Need SSL cert - What's next best?:

Can you put reverse proxy in front of that appliance and automate certs on proxy?

That's what we do.

scottalanmiller

@obsolesce said in Need SSL cert - What's next best?:

Yes, Let's Encrypt is the one to use and the one I normally use for everything, but this is for an appliance we don't have access to in order to automate certificate renewals.

Is automation that important?

Obsolesce

@marcinozga said in Need SSL cert - What's next best?:

Can you put reverse proxy in front of that appliance and automate certs on proxy?

Hmm, perhaps. I didn't think of that, but there are other services besides https that the proxy would need to pass through to the server then. Is that possible? Users would access the https stuff over web browser, but agents on their computers would be trying to connect to the same server.domain.com over some custom port, lets say 52274 for example.

Obsolesce

@scottalanmiller said in Need SSL cert - What's next best?:

@obsolesce said in Need SSL cert - What's next best?:

Yes, Let's Encrypt is the one to use and the one I normally use for everything, but this is for an appliance we don't have access to in order to automate certificate renewals.

Is automation that important?

Yes, unless you want to volunteer to log in to the interface every so often and select the new cert for it to use, setting up something else to do the automation and getting it from there.

Obsolesce

@dbeato said in Need SSL cert - What's next best?:

I have been using Namecheap
https://www.namecheap.com/security/ssl-certificates.aspx

Or Godaddy at times.

What's their root ca?

scottalanmiller

@obsolesce said in Need SSL cert - What's next best?:

@scottalanmiller said in Need SSL cert - What's next best?:

@obsolesce said in Need SSL cert - What's next best?:

Yes, Let's Encrypt is the one to use and the one I normally use for everything, but this is for an appliance we don't have access to in order to automate certificate renewals.

Is automation that important?

Yes, unless you want to volunteer to log in to the interface every so often and select the new cert for it to use, setting up something else to do the automation and getting it from there.

Dont' you have to do that with all of them, if you don't automate? But LE is simple and the others are a huge pain. So without automation, I'd say LE is even more important.

scottalanmiller

@obsolesce said in Need SSL cert - What's next best?:

@marcinozga said in Need SSL cert - What's next best?:

Can you put reverse proxy in front of that appliance and automate certs on proxy?

Hmm, perhaps. I didn't think of that, but there are other services besides https that the proxy would need to pass through to the server then.

Why would this be needed?

scottalanmiller

@obsolesce said in Need SSL cert - What's next best?:

Users would access the https stuff over web browser, but agents on their computers would be trying to connect to the same server.domain.com over some custom port, lets say 52274 for example.

Which you'd not point to the proxy. So that's easily fixed by not existing as a problem in the first place

Obsolesce

@scottalanmiller said in Need SSL cert - What's next best?:

@obsolesce said in Need SSL cert - What's next best?:

@scottalanmiller said in Need SSL cert - What's next best?:

@obsolesce said in Need SSL cert - What's next best?:

Yes, Let's Encrypt is the one to use and the one I normally use for everything, but this is for an appliance we don't have access to in order to automate certificate renewals.

Is automation that important?

Yes, unless you want to volunteer to log in to the interface every so often and select the new cert for it to use, setting up something else to do the automation and getting it from there.

Dont' you have to do that with all of them, if you don't automate? But LE is simple and the others are a huge pain. So without automation, I'd say LE is even more important.

Yes, once every two years typically. Still annoying, but easier to grab those certs than grabbing them from a separate server into the format you need to import them into the appliance.

dbeato

One thing, if you don't want automation but want free SSL you can use ZeroSSL
https://zerossl.com/
but you need to install it every 90 days since it is LE.

Obsolesce

@scottalanmiller said in Need SSL cert - What's next best?:

@obsolesce said in Need SSL cert - What's next best?:

Users would access the https stuff over web browser, but agents on their computers would be trying to connect to the same server.domain.com over some custom port, lets say 52274 for example.

Which you'd not point to the proxy. So that's easily fixed by not existing as a problem in the first place

I haven't given it much thought yet, but ya you're right. It's a non issue.

appliance.domain.com points to the public IP. Port 443 gets forwarded to the reverse proxy, port 52274 gets forwarded to the appliance.

marcinozga

@obsolesce said in Need SSL cert - What's next best?:

@marcinozga said in Need SSL cert - What's next best?:

Can you put reverse proxy in front of that appliance and automate certs on proxy?

Hmm, perhaps. I didn't think of that, but there are other services besides https that the proxy would need to pass through to the server then. Is that possible? Users would access the https stuff over web browser, but agents on their computers would be trying to connect to the same server.domain.com over some custom port, lets say 52274 for example.

Yes, it can be done, with Nginx for example.

Obsolesce

@dbeato said in Need SSL cert - What's next best?:

One thing, if you don't want automation but want free SSL you can use ZeroSSL
https://zerossl.com/
but you need to install it every 90 days since it is LE.

That would still be an issue here. I'll just go the reverse proxy route with NGINX. Full automation with LE means zero maintenance. No automation with LE means way too much maintenance. 2-year SSL cert from somewhere else means less maintenance, but costs.

dbeato

@obsolesce said in Need SSL cert - What's next best?:

@dbeato said in Need SSL cert - What's next best?:

One thing, if you don't want automation but want free SSL you can use ZeroSSL
https://zerossl.com/
but you need to install it every 90 days since it is LE.

That would still be an issue here. I'll just go the reverse proxy route with NGINX. Full automation with LE means zero maintenance. No automation with LE means way too much maintenance. 2-year SSL cert from somewhere else means less maintenance, but costs.

Yeah, I am giving you the orher alternatives that make it so much easier to use a proxy for it.

dbeato

@obsolesce said in Need SSL cert - What's next best?:

@dbeato said in Need SSL cert - What's next best?:

I have been using Namecheap
https://www.namecheap.com/security/ssl-certificates.aspx

Or Godaddy at times.

What's their root ca?

For Godaddy they are their own and NameCheap uses Comodo.

stacksofplates

Cloudflare does free SSL. That's what I used for my blog since it's GitLab pages and you can't automate the LetsEncrypt part with them. It's valid for I think 15 years.

Obsolesce

@stacksofplates said in Need SSL cert - What's next best?:

Cloudflare does free SSL. That's what I used for my blog since it's GitLab pages and you can't automate the LetsEncrypt part with them. It's valid for I think 15 years.

Wow really?

I'll see if I can find that.