Skip to main content

Questions tagged [letsencrypt]

An initiative from the Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to automatically provide every domain owner with a recognized certificate that can be used for TLS.

Filter by
Sorted by
Tagged with
0 votes
1 answer
66 views

Can a wildcard certificate act as CA for subdomains? [duplicate]

Inspired by Is LetsEncrypt activity Public? Say I've got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might ...
Daniël van den Berg's user avatar
32 votes
2 answers
5k views

Is LetsEncrypt activity Public?

I often use a random ingress eg. jhjhtdf76753.example.com, working away quietly developing code on this subdomain for months, never creating a public DNS entry for the subdomain. The example.com ...
ophthal's user avatar
  • 421
1 vote
0 answers
119 views

ECDSA certificates not impacted by Let’s Encrypt certificate chain change?

We received an email from Cloudflare about the upcoming Let’s Encrypt certificate chain change. At some point, it states that "Additionally, this change only impacts RSA certificates. It does not ...
Vic Seedoubleyew's user avatar
2 votes
1 answer
61 views

SSL cert for mailserver, which domain? mail client refuses self-signed

I've got a mailserver and the hostname is mx.domain.com. Of course the server is configured to send emails to $mydomain and/or $myhostname.$mydomain in Postfix. Do I need to create the CSR/key for the ...
shawnixer's user avatar
0 votes
1 answer
697 views

crt.sh shows certificates for domains I don't recognize

Today I learned of the existence of crt.sh. I typed one of my domain names into the search box to find out what it returns. I found a lot of certificate entries for domains that I don't recognize, and ...
Scott Severance's user avatar
1 vote
1 answer
338 views

Possible scenario for replay attack in acme protocol

The ACME protocol defines the use of a replay nonce to prevent replay attacks. I understand what replay attacks are and why it's important to prevent them in certain scenarios. But I can't think of a ...
Sebastian's user avatar
5 votes
1 answer
955 views

Can Namecheap get certificates issued for my domain without my knowledge?

I bought a domain on Namecheap a few weeks back and now that I want to set it up, I visited my domain on the web and discovered that it had a valid cert issued and was pointing to an unknown site. The ...
Ermir's user avatar
  • 153
46 votes
3 answers
16k views

Reasons to distrust Let's Encrypt certificates

We have a service running behind https and we are using SSL certificates from Let's Encrypt. The problem is that one of our clients distrusts Let's Encrypt CA and on certificate renewal it requires to ...
fernandezr's user avatar
3 votes
3 answers
800 views

Is it a good idea to reuse certificate issued by public CA for internal database client authentication?

Let's say we have: Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let's Encrypt) with both server auth and client ...
Alexander's user avatar
1 vote
2 answers
2k views

Why does anyone not use Let's Encrypt?

Let's Encrypt offers free TLS certificates, including wildcard certificates. Is there ever a reason to pay for a certificate? Is it just "we have to pay for everything so we can sue someone if ...
Someone's user avatar
  • 179
1 vote
1 answer
166 views

Comparing ACME client logs against Certificate Transparency logs

Inspired by this comment from Can DDNS provider perform a MITM attack?, I was wondering if there is an automated way to check the Certificate Transparency logs for malicious/unexpected certificates. ...
oliver's user avatar
  • 601
0 votes
1 answer
252 views

Are self-signed certificates better for local usage?

When generating a certificate what would more secure - generating a self-signed certificate using PGP or using a public CA like Let's Encrypt? We are using it for signing and encrypting. What are the ...
Munchkin's user avatar
  • 264
0 votes
1 answer
652 views

Openssl and Let's Encrypt Cert Chain

I'm trying to understand openssl and some cert issues I was trying to track down. These certs were issued from Let's Encrypt. I will use their site as an example because I see the same behavior there. ...
AnaphylacticInternet's user avatar
1 vote
1 answer
652 views

What could cause classic "ERR_CERT_DATE_INVALID" when I can confirm no error from numerous other clients?

The ERR_CERT_DATE_INVALID error, I'm sure we're all familiar with, is below Visiting the same site from numerous other locations, web clients, etc shows a valid certificate. It's issued by let's ...
TCooper's user avatar
  • 366
0 votes
1 answer
332 views

mTLS Client Authentication by Signing Arbitrary Message using Browser

this is my first post here in the area of ​​security and encryption. I will try to be succinct, and let you know that I am not an expert in security. Context: My client (visitor) has an X509 ...
Bruno Alano's user avatar
2 votes
1 answer
5k views

What does it mean to create a Let's Encrypt certificate "automatically" rather than manually?

I am getting the error below in trying to renew my certificate from the command line (and thus too from cron). From searching similar error reports, I understand that it means that I initially ...
Joshua Fox's user avatar
0 votes
0 answers
275 views

Certbot installation from cloudfront.net epel-release mirror

I'm setting up a website on a Centos7 VPS with certbot and let's encrypt. I am no expert on network security. I checked to see if my epel-release was pulling certbot from a legit mirror. I ran yum ...
myke's user avatar
  • 13
0 votes
1 answer
231 views

pfsense subdomain timeout with error 522

I want to attach a valid ssl subdomain to my pfsense. I would check it (with warnings) via my the pfsense's IP 192.168.11.1 . I used multiple tutorials to come up with the following: Bought a domain ...
SILENT's user avatar
  • 166
-1 votes
2 answers
487 views

How does DNS-01 validation for LetsEncrypt know what the right IP address is?

For my personal use, I bought a domain for internal ssl validation for my pfsense. I was able to get the LetsEncrypt's ACME script to successfully validate my domain and produce an ssl certificate for ...
SILENT's user avatar
  • 166
7 votes
1 answer
414 views

Let's Encrypt certificate lifetime incident: is there any security risk?

A few days ago, Let's Encrypt discovered that they misinterpreted RFC 5280, thus making every certificate they issued valid for one second longer than expected. The associated issue on Mozilla bug ...
Benoit Esnard's user avatar
7 votes
1 answer
952 views

Verifying that no malicious certificate has been issued while a DNS record was pointing to an uncontrolled IP

Given the scenario that: Victim rents VM1 from a cloud provider, and points his/her DNS record to that VM1's IP address Victim deletes VM1 and switches to a different cloud provider, and creates VM2 ...
xdavidhu's user avatar
-1 votes
1 answer
248 views

Certificates Do Nothing [duplicate]

Please correct me if I'm mistaken, but I've reached the conclusion that CA-signed certificates in the current Internet Public Key Infrastructure do not add any more security compared to servers ...
Cinolt Yuklair's user avatar
1 vote
1 answer
331 views

Is it possible to additionally sign a Let's Encrypt certificate with another self-signed root certificate? [duplicate]

I have a certificate for my web service issued with Let's Encrypt. Another service that communicates with my web service requires that my certificate must be signed with theirs, otherwise their client ...
user2530062's user avatar
0 votes
1 answer
8k views

Where is ISRG Root X1 certificate on Windows 10?

Have a look here: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html First paragraph says: "As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly ...
StanTastic's user avatar
4 votes
1 answer
3k views

Do I need to associate my backend API server with a domain name to get an SSL certificate for it (HTTPS)?

I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS. I understand that in order to use Let's Encrypt ...
kingJulian's user avatar
2 votes
0 answers
328 views

Public key stored in server is different from what is shown in OpenSSL

I obtained an SSL certificate from LetsEncrypt for my web application using Apache web server. LetsEncrypt generated these 4 files: cert.pem chain.pem fullchain.pem privkey.pem As I understand, ...
simplfuzz's user avatar
  • 221
2 votes
2 answers
464 views

What stops a malicious DNS subdomain provider from impersonating my website?

First, some background: The DNS-01 verification method of Let's Encrypt requires you to add a TXT record to a special subdomain your domain name to prove your identity. With ACMEv2, this can allow you ...
huanglx's user avatar
  • 175
0 votes
0 answers
126 views

Domain Joined computer doesn't browser properly with any website with Let's Encrypt CA cert

Navigating to any website with Let's Encrypt CA cert and even after enabling the HTTPS Everywhere addon, I'm getting "Your connection is not private". Getting this error from all the browser except ...
Nɪsʜᴀɴᴛʜ ॐ's user avatar
1 vote
1 answer
676 views

Is the _acme-challenge subdomain protected?

I was looking into the DNS-01 challenge of Let's Encrypt, and I had a question about the subdomain process [1]. Let's say, the website example.com gives away free subdomains; what stops me to request ...
Ceesz's user avatar
  • 15
1 vote
2 answers
653 views

Can I use Let's Encrypt to verify my signing key?

I've made a signing key with GPG and I would like to have it verified since GPG displays a warning whenever a file signed with my key is verified. I've heard of Let's Encrypt but it only talks about ...
UnicornsOnLSD's user avatar
3 votes
2 answers
1k views

Man-in-the-middle attack (ACME / Let's Encrypt) on Authorization Key?

By looking at https://letsencrypt.org/how-it-works/, I got the feeling that a man-in-the-middle attack might be possible in the 'Domain Validation' phase. During that phase, the admin is asked to e....
NightRain23's user avatar
-5 votes
2 answers
353 views

Revoke Let's Encrypt CA for all devices in my organization?

If I disagree with Let's Encrypt's cavalier attitude about SSL certificate issuance, and their indifference to their auto-generated certificates potentially being using for widespread criminal ...
Dale Mahalko's user avatar
0 votes
1 answer
7k views

Using LetsEncrypt certificates for WiFi network authentication

I am helping my school IT set up a RADIUS authentication system using PEAP/EAP-TTLS. We are able to achieve successful connection with the user devices, but the users need to accept a "Not trusted" ...
Standstill's user avatar
3 votes
2 answers
360 views

What is Multi-Perspective Validation?

The Let's Encrypt upcoming features page lists the following: Multi-Perspective Validation Currently Let’s Encrypt validates from a single network perspective. We are planning to start ...
Gregory Arenius's user avatar
7 votes
1 answer
1k views

Should the Strict-Transport-Security max-age be tied to the duration of the certificate?

I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to ...
smitelli's user avatar
  • 2,115
0 votes
1 answer
313 views

Update letsencrypt certificates without changing the private key

I want to renew the letsencrypt certificate on my webserver but want to keep the private key same. I've installed the certificate using certbot 0.35.1 How can I update the certificate (preferably ...
Cool Breeze's user avatar
6 votes
4 answers
1k views

Let's Encrypt and EV certificates for different hosts in the same domain

I have an e-commerce site host name (example.com) and want to install an Extended Validation TLS certificate for it. But I use a cookieless static content served from another host name (static....
overer's user avatar
  • 63
-3 votes
1 answer
695 views

what is the maximum life-time for Let's Encrypt certificates

Let's Encrypt is one of the most popular TLS Certificate Authorities. I have conflicting information about its certificates life-time. In this link it says 90-days. In one research paper I read 1 ...
user9371654's user avatar
15 votes
2 answers
793 views

Let's Encrypt is based in the US and subject to US laws

Let's Encrypt is based in the United States and subject to the laws of the United States, including National Security Letters. What are the implications for foreign sites that use Let's Encrypt? Here'...
RealDrGordonFreeman's user avatar
1 vote
1 answer
553 views

Workaround for no www.subdomain.domain coverage on wildcard cert [closed]

Edit: Would deleting the www.hungry.example.org DNS record be a good solution if there are no links to it? I have a domain (example.org) and a subdomain (hungry.example.org). Until recently they had ...
user1114's user avatar
  • 145
1 vote
0 answers
401 views

Lets Encrypt + Cert Bot: Setting up known Certificate Authority

I have a setup in docker where I have LetsEncrypt ACME Boulder + CertBot + DNSMASQ as a DNS Server. Additionally I have a client and a service where the service is served over https only. I had ...
Th3Nic3Guy's user avatar
3 votes
2 answers
194 views

Are Let’s Encrypt wrapper services secure?

There are a number of web based portals that purport to make installation of free SSL certificates user friendly for non-technical users (ZeroSsl, SSLforFree). For lack of a better term I am calling ...
user avatar
7 votes
1 answer
2k views

How does selection between multiple available certificate chains work?

I am trying to understand the practical mechanisms of cross-signing (intermediate) certificates. As an example, I am looking at the Let's Encrypt Chain of Trust. That page mentions: IdenTrust has ...
Reinier Torenbeek's user avatar
11 votes
1 answer
7k views

Creating sub CA signed with Let's Encrypt certificate

I have a certificate issued from Let's Encrypt. Can I create a key and certificate for my own purpose (i.e. an OpenVPN server, or web server with internal domain name/IP address) and sign it with the ...
Kamil K's user avatar
  • 113
1 vote
1 answer
864 views

Robust SSL pinning on IoT device with Let’s Encrypt

I would like to implement SSL pinning on ESP8266. Since leaf certificate is changing quite often I would like to check for which domain leaf was issued and check that root belong Let’s Encrypt. To ...
pixel's user avatar
  • 247
6 votes
3 answers
3k views

Setting up LetsEncrypt SSL for domains/subdomains on two servers

LetsEncrypt certificates have been created for example.com and www.example.com. This is a Linux server on IP 123.123.123.1. I would like to add foo.example.com and bar.example.com, but these ...
Fid's user avatar
  • 171
2 votes
1 answer
523 views

Can I get a HTTPS certificate for mymachine.cs.superuniversity.ca from "Let's Encrypt" [duplicate]

I'm trying to set up a HTTPS certificate for mymachine.cs.superuniversity.ca (free or paid). Before I jump in, is it even possible to set up such a certificate using Let's Encrypt? The domain is for ...
XoXo's user avatar
  • 121
37 votes
2 answers
3k views

Is there any security risk when a certificate authority is used more than all others?

According to NetTrack, Let's Encrypt is now used on more than 50% of domains (51.21% as of April 2018). I know Let's Encrypt helped a lot of people to get free certificates for their websites, so I ...
Benoit Esnard's user avatar
0 votes
2 answers
341 views

Are the letsencrypt clients audited?

When more and more webservers installs the letsencrypt client to have free letsencrypt certs, I was just thinking. Are the letsencrypt client(s) audited? Can they have malicious code in them?
Hessnov's user avatar
  • 199
2 votes
1 answer
894 views

Could a state actor MITM Let’s Encrypt certificate issuance to provide a cert they could more easily crack

Let’s Encrypt issues certificates of which they are the CA. That cert is based on a private key generated in the server by LE's auto/certbot script. Could a state actor MITM that transaction ...
jb510's user avatar
  • 121