68°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Day 80: Replaced my HTTPS Certificates #100DaysOfIndieWeb

    March 10, 2017

    Normally I wouldn't have let this kind of change qualify for my #100Days project, but I was blocked from using any of my indieweb tools, and I feel like there's a good lesson here.

    Chrome 57 launched today, and one of the changes was they dropped the StartCom root certificate in that release. Lately I've been using Letsencrypt for all my certificates, but I still have a few certificates from startssl.com, in particular some wildcard certificates. I had been using a wildcard certificate for all my p3k apps on *.p3k.io, as well as for my development certificate that gives me a public URL with real HTTPS certificate that routes the traffic back to my laptop. 

    As soon as I updated Chrome today, I was suddenly unable to post to my website using Quill, Teacup, or any other apps!

    I logged in to startssl.com and they posted this notice in their dashboard:

    1. Mozilla and Google decided to distrust all StartCom root certificates as of 21st of October, this situation will have an impact in the upcoming release of Firefox and Chrome in January. Apple's decision announced on Nov 30th of distrusting all StartCom root certificates as of 1st of December will have an impact in their upcoming security update. 

    2. Any subscribers that paid the validation fee after Oct. 21st can get full refund by request.

    3. StartCom will provide an interim solution soon and will replace all the issued certificates with issuance date on or after Oct 21st in case of requested. Meanwhile StartCom is updating all systems and will generate new root CAs as requested by Mozilla to regain the trust in these browsers.

    So it looks like I have no path forward right now other than to use a different certificate, until StartCom gets their act together and gets reapproved by the browsers.

    So... thus embarked my day of re-issuing all my certificates for my p3k apps using Letsencrypt.

    Thankfully, I had already created a pretty good workflow for quickly creating HTTPS certificates using Letsencrypt.

    The one thing I added to my nginx setup today was an include file that lets me quickly add the .well-known URL path that Letsencrypt uses for verification to any server block. I added the below text to a file called "/usr/local/nginx/conf/letsencrypt_challenge"

    location /.well-known/acme-challenge {
      default_type "text/plain";
      root /web/sites/letsencrypt;
    }
    

    Now when I add the following line inside a server block, this web root will be used to serve the Letsencrypt challenges.

    include letsencrypt_challenge;

    This makes it super quick to set up new virtual hosts using Letsencrypt.

    After running through this process for 8-10 domain names, I now have restored all the p3k apps so they will work with the latest version of Chrome!

    Portland, Oregon
    Fri, Mar 10, 2017 6:09pm -08:00 #100daysofindieweb #letsencrypt #https #startcom
    3 mentions

    Other Mentions

    • Aaron Parecki aaronparecki.com
      My 2017 Year in Review
      Thu, Jan 4, 2018 2:40pm -08:00
    • Aaron Parecki aaronparecki.com
      Day 82: Switching to Let's Encrypt for XRay on App Engine #100DaysOfIndieWeb
      Sun, Mar 12, 2017 10:28am -07:00
    • 100 Days of IndieWeb aaronparecki.com/tag/100daysofindieweb
      Day 80: Replaced my HTTPS Certificates #100DaysOfIndieWeb: aaronparecki.com/2017/03/10/20/…
      Sat, Mar 11, 2017 2:09am +00:00 (via brid-gy.appspot.com)
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv