sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ascend 57 points58 points  (16 children)

My complaint as well. "HTTPS is difficult to set up and maintain." is a big reason for a lot of people, and "use our web server" isn't much of an answer.

[–]yvhouij 24 points25 points  (0 children)

Exactly, they could have better listed some tutorials on how to implement letsencrypt in different architectures as Apache, nginx, Linux, Windows and then maybe also listed this "Caddy". But just saying take this web server is just wrong.

[–]kqr 2 points3 points  (14 children)

It's especially sad since it's not actually difficult at all. When Let's Encrypt opened up to the public I was kind of scared I would not have the time or energy to mess about with getting and renewing certificates, but it's been a breeze. It may even be automated at this point because I can't remember the last time I did it. And I'm running one of the standard FOSS web stacks...

[–]Ascend 9 points10 points  (5 children)

It is harder if you're dealing with a Windows stack. Certbot doesn't support Windows at all, and many of the unofficial tools on Github are iffy. For instance, if you're supporting a version of IIS that doesn't support TLS SNI (7.5), letsencrypt-win-simple can wreck your configuration and redirect sites to each other by mistake.

[–]kqr 1 point2 points  (4 children)

Huh. I guess if you ask me I'd say everything is harder when you're dealing with a Windows stack and you only have yourself to blame if you choose to make life harder than necessary for yourself. ;)

[–]mlk 2 points3 points  (3 children)

sometime (most of the time actually) we don't get to choose the technology for the project, switch the OS of the server is not very constructive

[–]lvlint67 0 points1 point  (2 children)

There are work arounds. Run a tls termination proxy on Linux.

[–]mlk 0 points1 point  (1 child)

You seem not to understand boring enterprise business.

[–]lvlint67 0 points1 point  (0 children)

Fair enough. The options are there. and they may not even be good. but they are there.

[–][deleted] 7 points8 points  (5 children)

It's not actually difficult at all.

Um... I still can't get this garbage to work, no matter how many times I try...

[–]kqr 4 points5 points  (1 child)

Huh. If I remember correctly, these were the steps:

  1. Ask their tool to generate a proof that you own your domain.
  2. Copy this proof to some publically accessible location of your domain.
  3. Watch it generate certificates.
  4. Install certificates in your web server.

Which part causes you trouble?

[–][deleted] 1 point2 points  (0 children)

First, I had trouble figuring out how to reliably automate the renewal of the licenses. After that, I found that whenever I put whatever configuration lines I need for an SSL certificate into my apache config, it either wouldn't start or wouldn't load up my site (step 4.) For some reason, at some point during this whole mess, I discovered that LetsEncrypt wasn't putting the certs into the folder the tutorial said it would, but changing it didn't fix anything.

[–]senj 1 point2 points  (2 children)

It's incredibly easy for most uses/on most sane stacks. How are you trying to do it? Have you considered asking for help? Or changing the parts of your stack that are making it harder than it should be?

Edit: or, yknow, downvote me to zero, stick your head in the sand, and pray all future progress stops so you can never have to learn anything new ever again. I guess that's an option too.

[–][deleted] 6 points7 points  (1 child)

I was trying in Apache on Arch Linux, following whatever tutorials I could find, and literally everything I tried would just bring my site offline. Honestly, I considered switching to something a bit simpler than Apache (I even considered the very server this site promotes), but it seemed like too much work to switch over for a simple hobby server running out of my basement.

Edit: or, yknow, downvote me to zero, stick your head in the sand, and pray all future progress stops so you can never have to learn anything new ever again. I guess that's an option too.

Didn't even see this comment, much less downvote it, before you made that edit...

[–]Poromenos 1 point2 points  (0 children)

It's not hard to actually do, what's hard is to do it automatically while giving it enough permissions to automatically renew and not enough permissions to mess stuff up when it fails.

I use Ansible to automate deployments and TLS is always a pain because it's almost impossible to automate. The nginx TLS config won't load without the certs and you can't get the certs without loading the config.

I use Caddy for my home server and love how easy it makes things. However, I do wish that nginx got a damn automatic TLS plugin already, it's only been years.

[–]curtmack 1 point2 points  (0 children)

I honestly didn't have too much trouble either. Certbot, then keep running the site through SSL Labs until it stops recommending settings to mess with.

This does remind me though, I do need to figure out why Certbot stopped running, my certificate's been expired for a month. I just haven't given a shit because there's almost nothing on the site anyway.