Feb 052016

The free certs from https://letsencrypt.org/ do indeed work as described. I wanted to check them out for some public facing services I wanted to run.

To get the certificate you run a program on a host that DNS resolves to the cert you want to get – so if “foo.example.com” resolves to, you need to install the cert generation program on, and have either 80 or 443 free (I didn’t look too much into this, but I think that’s correct.)

I had to briefly open the firewalls on those ports because I was testing the certs out on services that don’t run on 443, but some other fairly random port.

Obviously this cries out for automation (ansible/chef/puppet or whatnot), but it’s also interesting to think about what would happen if you’re compromised, since attackers can generate valid certs for your domain.

Some interesting attacks can/will come out of this.

Sorry, the comment form is closed at this time.