[SOLVED] Moving from WoSign TLS to Let's Encrypt TLS
#1
Dear members of FreeVPS Directory & Discussion,

Looking back over the recent problems with WoSign / StartSSL in the past months the time has come to change to another CA that provides free TLS certificates in order to maintain encrypted and trusted communication between us (as in our server / site), you (our valued members) and your transfered data / information.

We value the security of you and your data / information and respect your privacy. So it is very important for us to have a working TLS system to ensure everything is working as it should be and that it is secure. Hence why we decided to take steps forward and replace the current still working WoSign TLS certificates with new certificates from the Let's Encrypt CA. As StartSSL is owned by WoSign it is not an option for us!


Our administration team will perform a reconfiguration of the web server setup and generation plus installation of the newly created Let's Encrypt TLS certificates. Below you can find information about when it is going to happen, how long it will take and what you have to expect during this maintenance.

Quote:Date: Today (29th October 2016)
Time: 10 PM (GMT +2)
Length: 15 minutes to max. 30 minutes

Small downtimes that are necessary to apply new configurations are to be expected. They might appear multiple times during the maintenance if we find anything that needs to be improved or fixed.


We hope for a very swift and smooth maintenance. We do not expect any bigger issues as we will be testing the new setup before pushing it live in this maintenance today.

Thank you very much for your understanding and we apologize in advance for any kind of inconvenience that this maintenance may / can cause.


Yours faithfully

Administration & Staff
FreeVPS Directory & Discussion
#2
Good! I was wondering when this was going to happen...

I agree with your estimate , It takes around 5-30 mins to configure nginx w/ autorenews.

Still stuff can go wrong so, Good Luck!
[Image: img.php?userid=19870&txt=1]
Thanks to FREEVPS.us and HostUS for VPS 16
Thanks to @NoUptime for the lovely VPS
#3
@Hidden Refuge

Didn't you guys previously use a RapidSSL certificate? Why did you switch from that to WoSign?
-karatekidmonkey (https://codeco.pw)
Thanks to ZXPlay and FuzzyHosts for my VPSes!
[Image: img.php?v2=1&userid=17742&txt=1]



#4
@karatekidmonkey

The previous RapidSSL certificate has been purchased by @dmmcintyre3. As you maybe have noticed @dmmcintyre3 is very inactive because he is busy with a lot of things in RL. He is working in the background on FreeVPS Directory & Discussion by paying for hosting, domain and such. Due to his inactivity and him being always busy we did not want to run out of a certificate and have the site down for days or even weeks because we cannot reach @dmmcintyre3.

So we decided to go for a free multi domain (we've to cover some domains that were used previously and are now pointing to the forum) CA and get a certificate there. We have had very positive experience with WoSign at that time (multiple staff members including me are/were using it - e.g. @Optimus or @Scáth). Hence why we went and got a WoSign certificate instead of StartSSL or LE at that point of time. This also helped us to keep the cost down that is necessary to maintain this site and all other services that are part of it.

Now with all the trouble that WoSign started by buying StartSSL and keeping a secret plus the mess they created by cheating and allowing people to obtain certificates for domains that they don't own we decided to switch to LE. I have been working with LE the whole last and this week. It has been very easy to setup actually and works very well - to my own surprise (they improved a lot actually - so the client has become very usable). Even auto renewal works as it should work.

Currently Let's Encrypt is pretty much the only real working free CA for multi domain certificates. There is the one offer where someone offers AlphaSSL certificates but these are actually only to be used with services from a specific data center. So what they do is actually illegal/abuse. We would not use such certificate as it could be revoked anytime by the CA like it has already happened to thousands of certificates (https://www.lowendtalk.com/discussion/62...es-revoked).
#5
@Hidden Refuge

Thank you very much for the detailed clarification Smile

WoSign has really been screwed up now, Gentoo has even removed the StartSSL/WoSign roots from the OS entirely - at least one user on FreeVPS uses Gentoo I bet.

I also know of the free AlphaSSL thing (@Fidde on LET) from SingleHop, they are fraud and I only use it on this one testing site I have (which doesn't even work..haha).

Again, thanks for the clarification Smile
-karatekidmonkey (https://codeco.pw)
Thanks to ZXPlay and FuzzyHosts for my VPSes!
[Image: img.php?v2=1&userid=17742&txt=1]



#6
We've successfully acquired a new TLS certificate through the Let's Encrypt client Certbot, installed it into our nginx setup and successfully applied the new configuration. In addition we've set up a daily cronjob to run the Certbot auto-renewal procedure and check the status of our certificate to renew it if necessary and as soon as necessary.

During the whole process we experienced no issues. There was even no visible downtime. Everything went swift and smooth as we expected.

Qualys SSL Labs normal report: https://www.ssllabs.com/ssltest/analyze....freevps.us
Qualys SSL Labs developer report: https://dev.ssllabs.com/ssltest/analyze....freevps.us


If you should experience any kind of issue please open a topic about them in the following forum.

"Suggestions & Feedback" forum for suggestions, feedback, questions and reports of errors/mistakes/issues: https://freevps.us/forum-12.html




Users browsing this thread: 1 Guest(s)

Switch to mobile version

Sponsors: FuzzyHosts - Ftpit - ZXPlay - GalaxyHostPlus - Verelox- HostUS - HostMada - Host4Fun - Evolution-Host - NodeBlade - HostDare


BitCoin donations: 1DQxbstaTb5SWk6QC2gFeQUTFR64JX4cEo