Operations | Monitoring | ITSM | DevOps | Cloud

Security

The latest News and Information on CyberSecurity for Applications, Services and Infrastructure, and related technologies.

My Let’s Encrypt mistake

SSLping was born as a side project. It’s useful to people, which is cool, but today it was also helpful to me! I use it to monitor my HTTPS websites. This morning, my own SSLping project sent me an email about how my website https://hire.chris-hartwig.com is about to expire (in 10 days): it’s using Letsencrypt, and it’s been 80 days since I installed the cert.

What after I install Let’s encrypt?

TL;DR you’re never done with Let’s encrypt: once your servers are secure, you must ensure they stay that way. Let’s encrypt is a no brainer: this initiative benefits us all, with free domain-validated certificates. It’s easy to setup and free. There’s probably automatic installation for your web server of choice, the community behind it can help, and tutorials are everywhere. Then you head to https://.com and you’re done… not.

How’s your SSL security doing?

It was in your TodoList: install the SSL certificate. So you’ve setup your SSL certificate on the web server. It’s quite trendy to use SSL. Google will give you a modest ranking bump, some users will feel safer, all is good. You have even tested your configuration with Qualys, got you an A+. Good job: most got a C, even banks. Now what? What will happen when your cert is about to expire? Your CA will send an email to renew your cert. But maybe someone in the accounting dept will get that email.