Bedis9 website

Chrome 58 and SAN certificates requirements

Posted on 2017-06-09

Chrome 58 now imposes that the Common Name of a certificate to be available in the list of the alternative names. This is because of RFC2818, which changes the way to match the commonName in certificates. More information here: https://www.chromestatus.com/feature/4981025180483584

At work, I own my own CA, so I can sign my own certificates and use them wherever I need to. My main purpose is to avoid those boring warning messages related to self signed certificates. Of course, I have to import my CA certificate into my browser (so it can trust me despite they are self signed).

I use the small bash script below to generate my certificates automatically and compatible with Chrome 58 requirements:

NAME=vtmtmp.docker

cat <<EOF >${NAME}.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]
C = FR
ST = Ile de France
L = Paris
O = MySelf
OU = Systems Engineering
CN = ${NAME}

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${NAME}
EOF

openssl genrsa -out ${NAME}.key 2048
openssl req -new -key ${NAME}.key -out ${NAME}.csr -nodes -sha256 -subj "/CN=${NAME}" -config ${NAME}.cnf
openssl x509 -req -in ${NAME}.csr -CA root.pem -CAkey ca.key -CAcreateserial -out ${NAME}.crt -days 3650 -extensions v3_req -extfile ${NAME}.cnf
cat ${NAME}.crt ${NAME}.key > ${NAME}.pem

Letsencrypt for HAProxy

Posted on 2016-12-28

Let'sencrypt (https://letsencrypt.org) is a free, automated and open Certificate Authority. It uses the ACME protocol (https://github.com/letsencrypt/acme-spec) to issue / renew certificates. Certificates provided by letsencrypt are valid for 90 days (3 months), which means we have to renew them very often! That said, this renewal can be fully automated thanks to the ACME protocol.

HAProxy is an open source Reverse-Proxy/Load-Balancer and I use it everywhere on my personnal websites. It can process SSL/TLS and of course is compatible with letsencrypt certificates. That said, it needs some help to get its certificates renewed and I wrote my own script to do the following:

  • issue / renew certificate from letsencrypt
  • issue OCSP stamps from letsencrypt for my certificates and update them at run time into HAProxy

For the ACME protocol layer, I use acme.sh (https://github.com/Neilpang/acme.sh), a simple and minimalistic shell script, yet very efficient!

My scripts for an easy integration of HAProxy and letsencrypt are available here:

Welcome!!!!

Posted on 2016-06-15

Hey there!!!

This is my first post on this blog/website. I'm happy everything seems to work smoothly! Later, in those pages, I'll explain what my setup looks like and how I'm managing my website using docker, git a nd bash.

Stay tuned!

Title of the blog post

Posted on 2016-06-13

Content of the blog post !!!