Let's Encrypt-- Opinions?

Always gives me certificates. Is gud

Using them for unimportant projects. No problems so far. The only annoying thing is to renew every 3 months.

@arazzz You can use certbot to automatically renew them ;)

Use it.
It’s legitimate and simple to setup.

If your taking payments use something else, as customers will expect paid certs behind you, for everything else, there’s LE.

Also, put an index file on your website before someone starts sniffing around all those folders.

@C0D4 did you mean my website (https://kyran-gostelow.me/)?

I just checked and saw that it is going to file view! I don't really care if people see my files but I had no idea it was like that.. I don't know what happened because last time I checked it was working fine :/

Fixed now... weird.

Maybe last time I was fucking around with my .htaccess I forgot to check that I didn't screw anything?

Thanks for the heads up.

@C0D4 even better use .htaccess to disable directory browsing, and disable also .htaccess viewing:

# disable directory view

Options All -Indexes

# prevent viewing of .htaccess file

<Files .htaccess>

order allow,deny

deny from all

</Files>

@Fast-Nop I’m well aware of this,

but index.php - based on the home.php file I spotted - would be a simple task compared to Apache config / htaccess if @qwerty77asdf isn’t familiar with it.

And yes @qwerty77asdf I was referring to your website, hi fellow Melbourner

@C0D4 the home.php file is outdated, I used to use it for google sitemapping. I use directoryindex to point to my real homepage, /bio/index.php.

Haha hey fellow Melbournian.

Used it for my mailers earlier, didn't go very well since I'm already running Roundcube on port 443 that's hidden behind a VPN (just like most other services on those servers). Let's Encrypt was pretty much unusable for me there and it left a bit of a bad taste that I was forced to bind it to certain ports instead of being able to open a TLS socket for it wherever I want. So I ended up going self-signed.

For websites it'd probably be much easier though, there you can just place it within the web server and have it use port 443 no problem. And it'd just work ¯\_(ツ)_/¯ and I mean, it's free right? For anything that isn't sensitive and where LE fits the purpose, yeah I'd use it.

since https is a must have these days, having a reliable way to get a certificate for free (excluding self-signing) is absolutely awesome. yes, paid services might be better, but that's always the case with free services. and considering that it's free, LE has very few drawbacks, especially concerning security.

Awesome if you can expose 80/443 publicly. Shitty if you want to host something from home from behind a closed router. (Owncloud in my case)

@AlexDeLarge vinegar ones are OK, but I hate majonaise...

😉

@AlexDeLarge wanted to see how people felt about the service as I am grateful for it and like it. Wanted to see if anyone had negative feelings and why.

@JAY505 what protection do you find missing with Let's Encrypt?

@qwerty77asdf Can't tell you details as I'm not devops, but we're using let's encrypt on a site with nearly a million paying customers.

The biggest question is not whether you should use them. The question is whether browsers should trust LE domain certs — some argue that because it's free, there's more abuse. However, Symantec EV cert exploration taught us that the expensive paid option is not perfect either.

Excellent service, but can be a pain if you looking wildcard certs as docs not the best as this functionality new this year. Have to manually renew certs also for wildcard at the mo.

More than happy to do that rather than pay GoDaddy GBP 240 though.

@bittersweet Ugh exploration? exploitation! I'm so sick of swipey keyboards + autocorrect... I want my qwerty phone back :(