{"id":1166,"date":"2016-02-05T05:18:56","date_gmt":"2016-02-05T05:18:56","guid":{"rendered":"https:\/\/trouble.org\/?p=1166"},"modified":"2016-03-20T05:26:32","modified_gmt":"2016-03-20T05:26:32","slug":"1166","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1166","title":{"rendered":""},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\">The free certs from\u00a0<a href=\"https:\/\/letsencrypt.org\/\"><span class=\"s2\">https:\/\/letsencrypt.org\/<\/span><\/a>\u00a0do indeed work as described. I wanted to check them out for some public facing services I wanted to run.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">To get the certificate you run a program on a host that DNS resolves to the cert you want to get &#8211; so if \u201cfoo.example.com\u201d resolves to 10.6.6.6, you need to install the cert generation program on 10.6.6.6, and have either 80 or 443 free (I didn\u2019t look too much into this, but I think that\u2019s correct.)<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">I had to briefly open the firewalls on those ports because I was testing the certs\u00a0out on services that don\u2019t run on 443, but some other fairly random port.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Obviously this cries out for automation (ansible\/chef\/puppet or whatnot), but it\u2019s also interesting to think about what would happen if you\u2019re compromised, since attackers can generate valid certs for your domain.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Some interesting attacks can\/will come out of this.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The free certs from\u00a0https:\/\/letsencrypt.org\/\u00a0do indeed work as described. I wanted to check them out for some public facing services I wanted to run. To get the certificate you run a program on a host that DNS resolves to the cert you want to get &#8211; so if \u201cfoo.example.com\u201d resolves to 10.6.6.6, you need to install [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[260,4,6,87],"tags":[342,345,168],"class_list":["post-1166","post","type-post","status-publish","format-standard","hentry","category-crypto","category-security","category-tech","category-web","tag-crypto","tag-free-certs-with-retsin","tag-hax"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1166"}],"version-history":[{"count":2,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1166\/revisions"}],"predecessor-version":[{"id":1169,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1166\/revisions\/1169"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}