Need a hand with tech consulting? I can help!
Learn more about how we can work via black.af .

Getting TLS Encryption For jacky.wtf

TLS certificate set up for https://jacky.wtf.

:pencil: by Jacky Alciné Jacky Alciné :book: an thoughts post :bookmark: sovereign , ssl , security :clock7: written :eyeglasses: about 1 minute, 323 words :link: Comments - 0 Mention(s) - Permalink

Recently I’ve managed to get jacky.wtf and friends to use TLS 1.2 encryption for the site. This is personally practice to understand the plight of setting up SSL on web servers in lieu of the upcoming wide support of HTTP/2. It’s pretty cheap for (up to 3) multi-TLD (multiple top level domains) certificates over at Gandi. Sadly though, I didn’t think how this would effect my deployment of services since I’ve placed cgit and my other services at their own sub domains. I can’t since this would require a wild card certificate and those get expensive ($16 for 3 domain coverage vs $50 for wild card for one domain). I decided to cut my losses1 and just stick to using SSL for jacky.wtf (and jalcine.me).

I’ve been working on getting a set of federated services up and going and one of the things I did want in system was things like cgit, ownCloud, etc. working under SSL. For this, it looks like I might end up making my own private root CA and generating a new certificate for each service I’d want to use. I can’t see too much of an issue with this, outside of repetition ensuing from generating certificates, but it’s a necessary evil since I decided to be cheap. Also, since it’s under my own private CA, it’s no real reason for anyone else to use the service or interact with said applications. Once I get the VPN up and going, it can just be visible within that space and I wouldn’t have to worry (too much) about using TLS there.

Long live HTTP/2 (hurry up, would ya? :grin:)!

Edit: Lo and behold, Firefox already has support for HTTP/2! This is the kind of stuff I want to do!

  1. Didn’t really have much of a choice, actually.