Trust not ye dodgy CAs

Because I don’t follow security advisories religiously, & check my site certs only when I think I need to (i.e. a little time before they expire), I missed the near unanimous decision to distrust StartCom as a Certificate Authority. Instead, I found out by attempting to show a friend my evolution simulator. My recently updated Android Firefox browser showed me a certificate warning despite the fact that my cert should have been good until 2020. Aiiee! Since I was at the 2017 Bosch Hackathon, I was a little busy to do anything about it until later. What a keen site maintainer I am (not).

Referring to my earlier experiences on this topic, I see that Eric Mill is a much better man than I, and has already been advising people against using StartCom certs since last year.

I chose to use Let’s Encrypt to generate my new certs. My hosting provider, 34sp.com, provides integrated Let’s Encrypt support, but this would not cover all the subdomains I wanted out of the box. I also do not have direct ssh access to my box, opting for a cheaper shared server. Instead, I installed certbot,

and used it to request a cert including all my subdomains.

Because certbot needs to verify my ownership of each subdomain, & some subdomains I wanted a cert for don’t have a server behind them, I used DNS TXT entries.

DNS TXT entries don’t update immediately, so I used MXToolBox’s outstanding DNS text lookup tool. This meant I could tell certbot to verify my DNS TXT for a given domain only after that value had been successfully published.

After using this for a while, I found whatsmydns.net more useful, as it makes multiple queries, & you can view how your DNS update is propagating.

In the future, I should be able to renew this cert by simply running:

All that was left was a simple matter of uploading the cert using the site management tools & I’m your uncle, or something. Please don’t call me Bob.


Addendum

This part is likely only of interest to me.

The DNS TXT entries confuse subnet resolution. Prefixing them prevents this confusion, but I’m sure there must be a better way to do this. I’ll have to remember to remove the prefix the next time I want to update my cert.

A better way to do this

As I mentioned, there has to be a better way to do this. My DNS records contains an asterisk (*) term for the base hostname. Adding an explicit subdomain name, like _acme-challenge.blog, means that the “blog” part of that subdomain becomes explicit. There’s no explicit definition of the address of blog, so the DNS behaviour is to return unresolved. I solved this by explicitly pointing blog to my server address. This at least means that I don’t have to do anything silly, like breaking my  DNS for every subdomain next time I want to renew my cert.

A better better way to do this

Instead of adding an address resolution record, I can add a canonical name record (CNAME) for blog, resolving to the root domain, which can then be resolved to the server address.

This is better because it’s easier for me or others to update the server address then. Hooray. Probably anyone who knew anything about DNS could have figured this out way quicker than I have. Hey-ho. It works.

Eric Mill’s Switch to HTTPS Now, For Free is excellent

I just read this little gem by Eric Mill, and decided to give it a try. Despite a CA problem with the latest version of Firefox, this went surprisingly well.

https://konklone.com/post/switch-to-https-now-for-free

I was slightly disappointed that WordPress uses absolute addresses to it’s resources with an HTTP class. Should it not use relative paths for locally hosted content like images, and let user agents sort out whether or not to use SSL? I think so.

Probably there’s something to configure. When it annoys me enough, I’ll blog about it.

Whoop, and there it is. That was easy to at least get WordPress to use HTTPS.