Questions tagged [letsencrypt]
An initiative from the Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to automatically provide every domain owner with a recognized certificate that can be used for TLS.
90 questions
0
votes
1
answer
66
views
Can a wildcard certificate act as CA for subdomains? [duplicate]
Inspired by Is LetsEncrypt activity Public?
Say I've got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might ...
32
votes
2
answers
5k
views
Is LetsEncrypt activity Public?
I often use a random ingress eg. jhjhtdf76753.example.com, working away quietly developing code on this subdomain for months, never creating a public DNS entry for the subdomain.
The example.com ...
1
vote
0
answers
119
views
ECDSA certificates not impacted by Let’s Encrypt certificate chain change?
We received an email from Cloudflare about the upcoming Let’s Encrypt certificate chain change.
At some point, it states that "Additionally, this change only impacts RSA certificates. It does not ...
2
votes
1
answer
61
views
SSL cert for mailserver, which domain? mail client refuses self-signed
I've got a mailserver and the hostname is mx.domain.com. Of course the server is configured to send emails to $mydomain and/or $myhostname.$mydomain in Postfix. Do I need to create the CSR/key for the ...
0
votes
1
answer
697
views
crt.sh shows certificates for domains I don't recognize
Today I learned of the existence of crt.sh. I typed one of my domain names into the search box to find out what it returns. I found a lot of certificate entries for domains that I don't recognize, and ...
1
vote
1
answer
338
views
Possible scenario for replay attack in acme protocol
The ACME protocol defines the use of a replay nonce to prevent replay attacks.
I understand what replay attacks are and why it's important to prevent them in certain scenarios. But I can't think of a ...
5
votes
1
answer
955
views
Can Namecheap get certificates issued for my domain without my knowledge?
I bought a domain on Namecheap a few weeks back and now that I want to set it up, I visited my domain on the web and discovered that it had a valid cert issued and was pointing to an unknown site. The ...
46
votes
3
answers
16k
views
Reasons to distrust Let's Encrypt certificates
We have a service running behind https and we are using SSL certificates from Let's Encrypt. The problem is that one of our clients distrusts Let's Encrypt CA and on certificate renewal it requires to ...
3
votes
3
answers
800
views
Is it a good idea to reuse certificate issued by public CA for internal database client authentication?
Let's say we have:
Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let's Encrypt) with both server auth and client ...
1
vote
2
answers
2k
views
Why does anyone not use Let's Encrypt?
Let's Encrypt offers free TLS certificates, including wildcard certificates. Is there ever a reason to pay for a certificate? Is it just "we have to pay for everything so we can sue someone if ...
1
vote
1
answer
166
views
Comparing ACME client logs against Certificate Transparency logs
Inspired by this comment from Can DDNS provider perform a MITM attack?, I was wondering if there is an automated way to check the Certificate Transparency logs for malicious/unexpected certificates.
...
0
votes
1
answer
252
views
Are self-signed certificates better for local usage?
When generating a certificate what would more secure - generating a self-signed certificate using PGP or using a public CA like Let's Encrypt? We are using it for signing and encrypting.
What are the ...
0
votes
1
answer
652
views
Openssl and Let's Encrypt Cert Chain
I'm trying to understand openssl and some cert issues I was trying to track down. These certs were issued from Let's Encrypt. I will use their site as an example because I see the same behavior there. ...
1
vote
1
answer
652
views
What could cause classic "ERR_CERT_DATE_INVALID" when I can confirm no error from numerous other clients?
The ERR_CERT_DATE_INVALID error, I'm sure we're all familiar with, is below
Visiting the same site from numerous other locations, web clients, etc shows a valid certificate.
It's issued by let's ...
0
votes
1
answer
332
views
mTLS Client Authentication by Signing Arbitrary Message using Browser
this is my first post here in the area of security and encryption. I will try to be succinct, and let you know that I am not an expert in security.
Context: My client (visitor) has an X509 ...
2
votes
1
answer
5k
views
What does it mean to create a Let's Encrypt certificate "automatically" rather than manually?
I am getting the error below in trying to renew my certificate from the command line (and thus too from cron). From searching similar error reports, I understand that it means that I initially ...
0
votes
0
answers
275
views
Certbot installation from cloudfront.net epel-release mirror
I'm setting up a website on a Centos7 VPS with certbot and let's encrypt.
I am no expert on network security. I checked to see if my epel-release was pulling certbot from a legit mirror.
I ran yum ...
0
votes
1
answer
231
views
pfsense subdomain timeout with error 522
I want to attach a valid ssl subdomain to my pfsense. I would check it (with warnings) via my the pfsense's IP 192.168.11.1 .
I used multiple tutorials to come up with the following:
Bought a domain
...
-1
votes
2
answers
487
views
How does DNS-01 validation for LetsEncrypt know what the right IP address is?
For my personal use, I bought a domain for internal ssl validation for my pfsense. I was able to get the LetsEncrypt's ACME script to successfully validate my domain and produce an ssl certificate for ...
7
votes
1
answer
414
views
Let's Encrypt certificate lifetime incident: is there any security risk?
A few days ago, Let's Encrypt discovered that they misinterpreted RFC 5280, thus making every certificate they issued valid for one second longer than expected.
The associated issue on Mozilla bug ...
7
votes
1
answer
952
views
Verifying that no malicious certificate has been issued while a DNS record was pointing to an uncontrolled IP
Given the scenario that:
Victim rents VM1 from a cloud provider, and points his/her DNS record to that VM1's IP address
Victim deletes VM1 and switches to a different cloud provider, and creates VM2 ...
-1
votes
1
answer
248
views
Certificates Do Nothing [duplicate]
Please correct me if I'm mistaken, but I've reached the conclusion that CA-signed certificates in the current Internet Public Key Infrastructure do not add any more security compared to servers ...
1
vote
1
answer
331
views
Is it possible to additionally sign a Let's Encrypt certificate with another self-signed root certificate? [duplicate]
I have a certificate for my web service issued with Let's Encrypt.
Another service that communicates with my web service requires that my certificate must be signed with theirs, otherwise their client ...
0
votes
1
answer
8k
views
Where is ISRG Root X1 certificate on Windows 10?
Have a look here: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html
First paragraph says: "As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly ...
4
votes
1
answer
3k
views
Do I need to associate my backend API server with a domain name to get an SSL certificate for it (HTTPS)?
I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS.
I understand that in order to use Let's Encrypt ...
2
votes
0
answers
328
views
Public key stored in server is different from what is shown in OpenSSL
I obtained an SSL certificate from LetsEncrypt for my web application using Apache web server. LetsEncrypt generated these 4 files:
cert.pem chain.pem fullchain.pem privkey.pem
As I understand, ...
2
votes
2
answers
464
views
What stops a malicious DNS subdomain provider from impersonating my website?
First, some background: The DNS-01 verification method of Let's Encrypt requires you to add a TXT record to a special subdomain your domain name to prove your identity. With ACMEv2, this can allow you ...
0
votes
0
answers
126
views
Domain Joined computer doesn't browser properly with any website with Let's Encrypt CA cert
Navigating to any website with Let's Encrypt CA cert and even after enabling the HTTPS Everywhere addon,
I'm getting "Your connection is not private".
Getting this error from all the browser except ...
1
vote
1
answer
676
views
Is the _acme-challenge subdomain protected?
I was looking into the DNS-01 challenge of Let's Encrypt, and I had a question about the subdomain process [1].
Let's say, the website example.com gives away free subdomains; what stops me to request ...
1
vote
2
answers
653
views
Can I use Let's Encrypt to verify my signing key?
I've made a signing key with GPG and I would like to have it verified since GPG displays a warning whenever a file signed with my key is verified. I've heard of Let's Encrypt but it only talks about ...
3
votes
2
answers
1k
views
Man-in-the-middle attack (ACME / Let's Encrypt) on Authorization Key?
By looking at https://letsencrypt.org/how-it-works/, I got the feeling that a man-in-the-middle attack might be possible in the 'Domain Validation' phase.
During that phase, the admin is asked to e....
-5
votes
2
answers
353
views
Revoke Let's Encrypt CA for all devices in my organization?
If I disagree with Let's Encrypt's cavalier attitude about SSL certificate issuance, and their indifference to their auto-generated certificates potentially being using for widespread criminal ...
0
votes
1
answer
7k
views
Using LetsEncrypt certificates for WiFi network authentication
I am helping my school IT set up a RADIUS authentication system using PEAP/EAP-TTLS. We are able to achieve successful connection with the user devices, but the users need to accept a "Not trusted" ...
3
votes
2
answers
360
views
What is Multi-Perspective Validation?
The Let's Encrypt upcoming features page lists the following:
Multi-Perspective Validation
Currently Let’s Encrypt validates from a single network perspective.
We are planning to start ...
7
votes
1
answer
1k
views
Should the Strict-Transport-Security max-age be tied to the duration of the certificate?
I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to ...
0
votes
1
answer
313
views
Update letsencrypt certificates without changing the private key
I want to renew the letsencrypt certificate on my webserver but want to keep the private key same.
I've installed the certificate using certbot 0.35.1
How can I update the certificate (preferably ...
6
votes
4
answers
1k
views
Let's Encrypt and EV certificates for different hosts in the same domain
I have an e-commerce site host name (example.com) and want to install an Extended Validation TLS certificate for it.
But I use a cookieless static content served from another host name (static....
-3
votes
1
answer
695
views
what is the maximum life-time for Let's Encrypt certificates
Let's Encrypt is one of the most popular TLS Certificate Authorities. I have conflicting information about its certificates life-time. In this link it says 90-days. In one research paper I read 1 ...
15
votes
2
answers
793
views
Let's Encrypt is based in the US and subject to US laws
Let's Encrypt is based in the United States and subject to the laws of the United States, including National Security Letters. What are the implications for foreign sites that use Let's Encrypt?
Here'...
1
vote
1
answer
553
views
Workaround for no www.subdomain.domain coverage on wildcard cert [closed]
Edit: Would deleting the www.hungry.example.org DNS record be a good solution if there are no links to it?
I have a domain (example.org) and a subdomain (hungry.example.org). Until recently they had ...
1
vote
0
answers
401
views
Lets Encrypt + Cert Bot: Setting up known Certificate Authority
I have a setup in docker where I have LetsEncrypt ACME Boulder + CertBot + DNSMASQ as a DNS Server. Additionally I have a client and a service where the service is served over https only.
I had ...
3
votes
2
answers
194
views
Are Let’s Encrypt wrapper services secure?
There are a number of web based portals that purport to make installation of free SSL certificates user friendly for non-technical users (ZeroSsl, SSLforFree). For lack of a better term I am calling ...
7
votes
1
answer
2k
views
How does selection between multiple available certificate chains work?
I am trying to understand the practical mechanisms of cross-signing (intermediate) certificates. As an example, I am looking at the Let's Encrypt Chain of Trust. That page mentions:
IdenTrust has ...
11
votes
1
answer
7k
views
Creating sub CA signed with Let's Encrypt certificate
I have a certificate issued from Let's Encrypt.
Can I create a key and certificate for my own purpose (i.e. an OpenVPN server, or web server with internal domain name/IP address) and sign it with the ...
1
vote
1
answer
864
views
Robust SSL pinning on IoT device with Let’s Encrypt
I would like to implement SSL pinning on ESP8266. Since leaf certificate is changing quite often I would like to check for which domain leaf was issued and check that root belong Let’s Encrypt.
To ...
6
votes
3
answers
3k
views
Setting up LetsEncrypt SSL for domains/subdomains on two servers
LetsEncrypt certificates have been created for example.com and www.example.com. This is a Linux server on IP 123.123.123.1.
I would like to add foo.example.com and bar.example.com, but these ...
2
votes
1
answer
523
views
Can I get a HTTPS certificate for mymachine.cs.superuniversity.ca from "Let's Encrypt" [duplicate]
I'm trying to set up a HTTPS certificate for mymachine.cs.superuniversity.ca (free or paid).
Before I jump in, is it even possible to set up such a certificate using Let's Encrypt?
The domain is for ...
37
votes
2
answers
3k
views
Is there any security risk when a certificate authority is used more than all others?
According to NetTrack, Let's Encrypt is now used on more than 50% of domains (51.21% as of April 2018).
I know Let's Encrypt helped a lot of people to get free certificates for their websites, so I ...
0
votes
2
answers
341
views
Are the letsencrypt clients audited?
When more and more webservers installs the letsencrypt client to have free letsencrypt certs, I was just thinking.
Are the letsencrypt client(s) audited? Can they have malicious code in them?
2
votes
1
answer
894
views
Could a state actor MITM Let’s Encrypt certificate issuance to provide a cert they could more easily crack
Let’s Encrypt issues certificates of which they are the CA. That cert is based on a private key generated in the server by LE's auto/certbot script.
Could a state actor MITM that transaction ...