thank you for contacting me via email, i apologise for the delay. i’ll update the nud client today.
block explorer has been updated to version 5.2 and fully synched.
@backpacker Certificate expired:
nuexplorer.ddns.net uses an invalid security certificate. The certificate expired on 04/10/17 18:17. The current time is 06/10/17 10:41.
tip for future, you have to reload nginx for renewed certificate to load.
They’ve really improved the procedure for certificates! Thought I’d give a short example, but it’s always annoying to find incomplete instructions, so.
Let’s Encrypt with Nginx on Ubuntu 16.04
Install Nginx
apt install -y nginx
Install Certbot
apt-add-repository -y ppa:certbot/certbot
apt update
apt install -y python-certbot-nginx
Configure Nginx
openssl dhparam -out /etc/nginx/dhparam.pem 4096
rm /etc/nginx/sites-enabled/default
Add following to /etc/nginx/conf.d/chat.nubits.com.conf
server {
server_name chat.nubits.com;
listen 80;
listen [::]:80;
}
server {
server_name chat.nubits.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx >= 1.3.7
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options DENY;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
}
Check Nginx configuration
nginx -t
Start Nginx
systemctl enable nginx
systemctl start nginx
Acquire TLS certificate
certbot -n --nginx --agree-tos --no-eff-email --rsa-key-size 4096 --redirect --email team@nubits.com -d chat.nubits.com
Enable automatic renewal
crontab -e
Enter following at bottom.
15 3 * * * /usr/bin/certbot renew --quiet
@backpacker: Thank you for the service you provide. Can you remind us how long your contract is for?
That assumes you are comfortable to use Let’s encrypt certificates.
Which reasons are there to prefer another certificate authority?
http://erik.io/blog/2014/02/03/why-your-ca-rarely-matters/
Browsers on a website with extended validation should display the company providing the verified trust, instead of a string that the CA decides (Subject Organization name).
There’s HPKP to our defense that enables specifying the only CAs to be trusted for that domain. To be precise, the public key of any certificate.
- https://scotthelme.co.uk/guidance-on-setting-up-hpkp/
- https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625
- https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
- https://datatracker.ietf.org/doc/draft-sheffer-tls-pinning-ticket/
I want to implement HPKP, but obviously it shouldn’t be rushed.
I just noted it as it was not obvious in your post. I don’t care what people use. The only reason would be to have extended verification, which I believe Let’s encrypt doesn’t offer. And whether you want to support Let’s encrypt or another company.
Current contract runs out on 5th of June 2018.
I am using certbot renew, but it turns out you have to reload nginx after running it, so I suggest adding that to crontab also.
Even when using the Nginx plugin? Good to have in mind.
certbot […] --deploy-hook "systemctl reload nginx"