Between yesterday and today I changed the SSL certificate used on the websites of lonestar.it and unixportal.net, and for the SMTP / IMAP mail services of mail.lonestar.it.
Up to now I used a wildcard certificate, regularly purchased on StartSSL . It was a cost-effective service to get a 2-year wildcard certificate. The convenience is that the certificate was valid for * .lonestar.it, and therefore in any network service.
But the StartSSL Certification Authority has been deprecated by major browsers because of some irregularities committed after acquisition by a Chinese company.
As a result, as of recent versions of Firefox and Chrome, certificates issued by this authority are no longer accepted as valid (green color next to the url bar), but are shown as unrecognized (red color next to the url bar).
So I’ve decided to start using the free service of Let’s Encrypt , which has been very successful lately thanks to the new philosophy of free release of certificates to anyone, for a short time (90 days maximum), so as to encourage adoption of https and tls protocols by everyone.
The short duration of certificates implies the transition to an automatic renewal and replacement mechanism, compared to the previous habit of obtaining a valid certificate for a few years and then install it manually on the various servers involved.
Let’s Encrypt offers an official python-based client to perform these automated tasks on the most popular distributions and common services. But since I use Slackware as distribution and s/qmail as a mail service, I preferred to use the Dehydrated script, which is based on bash and curl.
So I’ve set up some scripts that request certificates, no longer wildcard but individual for each service, and install them where necessary.
All seems to be working 🙂
