Block explorer at nuexplorer.ddns.net (superceded by explorer.nubits.com)


#81

thank you for contacting me via email, i apologise for the delay. i’ll update the nud client today.


#82

block explorer has been updated to version 5.2 and fully synched.


#83

@backpacker Certificate expired:

nuexplorer.ddns.net uses an invalid security certificate. The certificate expired on 04/10/17 18:17. The current time is 06/10/17 10:41.


#84

tip for future, you have to reload nginx for renewed certificate to load.


#85

They’ve really improved the procedure for certificates! Thought I’d give a short example, but it’s always annoying to find incomplete instructions, so.

Let’s Encrypt with Nginx on Ubuntu 16.04

Install Nginx

apt install -y nginx

Install Certbot

apt-add-repository -y ppa:certbot/certbot
apt update
apt install -y python-certbot-nginx

Configure Nginx

openssl dhparam -out /etc/nginx/dhparam.pem 4096
rm /etc/nginx/sites-enabled/default

Add following to /etc/nginx/conf.d/chat.nubits.com.conf

server {
    server_name  chat.nubits.com;
    listen  80;
    listen  [::]:80;
}
server {
    server_name  chat.nubits.com;
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;

    ssl_dhparam  /etc/nginx/dhparam.pem;

    ssl_ciphers     EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_ecdh_curve  secp384r1; # Requires nginx >= 1.1.0
    ssl_protocols   TLSv1.2;

    ssl_prefer_server_ciphers  on;
    ssl_session_cache          shared:SSL:10m;
    ssl_session_tickets        off; # Requires nginx >= 1.5.9
    ssl_stapling               on; # Requires nginx >= 1.3.7
    ssl_stapling_verify        on; # Requires nginx >= 1.3.7

    #add_header  Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header  X-Content-Type-Options nosniff;
    #add_header  X-Frame-Options DENY;

    resolver          8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout  5s;
}

Check Nginx configuration

nginx -t

Start Nginx

systemctl enable nginx
systemctl start nginx

Acquire TLS certificate

certbot -n --nginx --agree-tos --no-eff-email --rsa-key-size 4096 --redirect --email team@nubits.com -d chat.nubits.com

Enable automatic renewal

crontab -e

Enter following at bottom.

15 3 * * * /usr/bin/certbot renew --quiet

#86

@backpacker: Thank you for the service you provide. Can you remind us how long your contract is for?


#87

That assumes you are comfortable to use Let’s encrypt certificates.


#88

Which reasons are there to prefer another certificate authority?

http://erik.io/blog/2014/02/03/why-your-ca-rarely-matters/

Browsers on a website with extended validation should display the company providing the verified trust, instead of a string that the CA decides (Subject Organization name).

There’s HPKP to our defense that enables specifying the only CAs to be trusted for that domain. To be precise, the public key of any certificate.

I want to implement HPKP, but obviously it shouldn’t be rushed.


#89

I just noted it as it was not obvious in your post. I don’t care what people use. The only reason would be to have extended verification, which I believe Let’s encrypt doesn’t offer. And whether you want to support Let’s encrypt or another company.


#90

Current contract runs out on 5th of June 2018.

I am using certbot renew, but it turns out you have to reload nginx after running it, so I suggest adding that to crontab also.


#91

Even when using the Nginx plugin? Good to have in mind.

certbot […] --deploy-hook "systemctl reload nginx"

https://certbot.eff.org/docs/using.html