In my experience, it has become very easy to setup renewal. It has gotten
easier with every release.
Cary
On Mon, Jun 19, 2017 at 7:55 AM Kyle Breneman <[log in to unmask]>
wrote:
> Thanks for chiming in, Kyle. I think, in your second-to-last sentence, you
> were about to say "impossible." Is that right? Also is it difficult to
> setup automatic certificate renewal? For the record, I'm not trying to
> bypass any organizational processes here, just doing some legwork in hopes
> of handing campus IT a suggestion that will save them money.
>
> Kyle
>
> On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee <[log in to unmask]>
> wrote:
>
> > There are a few other catches. For example, you need to be able to run an
> > appropriate ACME client and set up automatic certificate renewal since
> the
> > maximum length you can get is 90 days. You also can't get wildcard
> > certificates which makes doing things like proxying by host name (e.g.
> > ezproxy). Your organization might also care if you bypass their process
> for
> > getting domain names.
> >
> > kyle
> >
> > On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind <[log in to unmask]>
> > wrote:
> >
> > > Here's a thread about per-TLD rate limits being a problem for
> > universities;
> > > it seems per a post at the end of that thread that letsencrypt might
> > exempt
> > > your institution from ratelimits, but an official agent of the
> university
> > > needs to submit the request:
> > >
> > > https://community.letsencrypt.org/t/rate-limiting-at-an-
> > > educational-institution/5910/24
> > >
> > >
> > >
> > > On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman <
> [log in to unmask]>
> > > wrote:
> > >
> > > > Thanks for that detailed and interesting reply, Jonathan.
> > > >
> > > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <
> [log in to unmask]
> > >
> > > > wrote:
> > > >
> > > > > Just to clarify, by "Commercial certificates offer stronger proof
> of
> > > > > identity", you mean an "Extended Validation" (EV) certificate.
> > > > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> > > > >
> > > > > If you are getting a 'commercial certificate' that is a standard
> > > 'domain
> > > > > validated' cert instead of an EV cert, you are not getting any
> > stronger
> > > > > proof of identity than you would from letsencrypt.
> > > > >
> > > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV
> > > cert,
> > > > > but an ordinary domain validated one. (Additionally, that
> particular
> > > web
> > > > > page serves http: images , triggering browser mixed content
> > warnings!).
> > > > >
> > > > > Same thing for the cert at https://langsdale.ubalt.edu/.
> > > > >
> > > > > Looking at another Maryland public university: https://umd.edu/
> > > appears
> > > > > similar. NOT an EV cert, and additionally serving http assets
> > > triggering
> > > > a
> > > > > mixed content warning.
> > > > >
> > > > > I'm actually having trouble finding an academic institution, or
> even
> > a
> > > > > standard ecommerce site, that DOES use an EV cert.
> > > > >
> > > > > You can tell it's an EV cert when chrome or Firefox put the name of
> > the
> > > > > organization in the location bar to the left of URL. Additionally,
> > in
> > > > > Firefox, if you click that name, then click the right-chevron 'more
> > > info'
> > > > > icon, then click "More information", under "Website Identity" it
> will
> > > > list
> > > > > an "Owner:" for an EV cert. For an ordinary domain-validated cert,
> it
> > > > will
> > > > > list "This website does not supply ownership information" instead.
> > > > >
> > > > > Here's an example of an EV cert, the cert on digicert.com, a
> seller
> > of
> > > > > certs:
> > > > >
> > > > > https://www.digicert.com/
> > > > >
> > > > > If your cert is not EV but is just "domain validated", then despite
> > it
> > > > > being "commercial" it supplies the same level of proof of identity
> > as a
> > > > > letsencrypt cert -- proof of control of the domain at the time the
> > cert
> > > > was
> > > > > issued, either way.
> > > > >
> > > > >
> > > > >
> > > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon <[log in to unmask]
> >
> > > > wrote:
> > > > >
> > > > > > We are starting to roll out LetsEncrypt for all of our services
> and
> > > > > > clients who do not use or want commercial certificates.
> > > > > >
> > > > > > Note that LetsEncrypt offers only domain authentication, in most
> > > cases
> > > > > > specifically validated by your control of the server. Commercial
> > > > > > certificates offer stronger proof of identity.
> > > > > >
> > > > > > We recommend commercial certificates for any sites that conduct
> > > > financial
> > > > > > transactions or require HIPPA compliance.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Cary
> > > > > >
> > > > > > Cary Gordon
> > > > > > The Cherry Hill Company
> > > > > > http://chillco.com
> > > > > >
> > > > > >
> > > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> > > > List) <
> > > > > > [log in to unmask]> wrote:
> > > > > > >
> > > > > > > Apologies for cross-posting...
> > > > > > >
> > > > > > > Anyone out there working at a public institution that's using
> > Let's
> > > > > > Encrypt for security certificates? I just suggested to our
> campus
> > IT
> > > > > that
> > > > > > we switch to using Let's Encrypt. They told me it would need to
> > > clear
> > > > > > State of Maryland approval process first, and suggested that it
> > would
> > > > be
> > > > > > helpful to be able to point to other public institutions that are
> > > using
> > > > > it.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Kyle Breneman
> > > > > > > Integrated Digital Services Librarian
> > > > > > > University of Baltimore
> > > > > > >
> > > > > > > To maximize your use of LITA-L or to unsubscribe, see
> > > > > > http://www.ala.org/lita/involve/email
> > > > > >
> > > > >
> > > >
> > >
> >
>
--
Cary Gordon
The Cherry Hill Company
http://chillco.com
|