Posted on 2017-06-09
Chrome 58 now imposes that the Common Name of a certificate to be available in the list of the alternative names. This is because of RFC2818, which changes the way to match the commonName in certificates. More information here: https://www.chromestatus.com/feature/4981025180483584
At work, I own my own CA, so I can sign my own certificates and use them wherever I need to. My main purpose is to avoid those boring warning messages related to self signed certificates. Of course, I have to import my CA certificate into my browser (so it can trust me despite they are self signed).
I use the small bash script below to generate my certificates automatically and compatible with Chrome 58 requirements:
NAME=vtmtmp.docker cat <<EOF >${NAME}.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] C = FR ST = Ile de France L = Paris O = MySelf OU = Systems Engineering CN = ${NAME} [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = ${NAME} EOF openssl genrsa -out ${NAME}.key 2048 openssl req -new -key ${NAME}.key -out ${NAME}.csr -nodes -sha256 -subj "/CN=${NAME}" -config ${NAME}.cnf openssl x509 -req -in ${NAME}.csr -CA root.pem -CAkey ca.key -CAcreateserial -out ${NAME}.crt -days 3650 -extensions v3_req -extfile ${NAME}.cnf cat ${NAME}.crt ${NAME}.key > ${NAME}.pem
Posted on 2016-12-28
Let'sencrypt (https://letsencrypt.org) is a free, automated and open Certificate Authority. It uses the ACME protocol (https://github.com/letsencrypt/acme-spec) to issue / renew certificates. Certificates provided by letsencrypt are valid for 90 days (3 months), which means we have to renew them very often! That said, this renewal can be fully automated thanks to the ACME protocol.
HAProxy is an open source Reverse-Proxy/Load-Balancer and I use it everywhere on my personnal websites. It can process SSL/TLS and of course is compatible with letsencrypt certificates. That said, it needs some help to get its certificates renewed and I wrote my own script to do the following:
For the ACME protocol layer, I use acme.sh (https://github.com/Neilpang/acme.sh), a simple and minimalistic shell script, yet very efficient!
My scripts for an easy integration of HAProxy and letsencrypt are available here:
Posted on 2016-06-15
Hey there!!!
This is my first post on this blog/website. I'm happy everything seems to work smoothly! Later, in those pages, I'll explain what my setup looks like and how I'm managing my website using docker, git a nd bash.
Stay tuned!