Discussion:
[cryptopp-users] Installing new certifcate
Jeffrey Walton
2018-09-13 23:35:37 UTC
Permalink
Hi Everyone,

We are going to attempt a Let's Encrypt cut-over shorty.

The VM is CentOS 7 so we are going to install Certbot from EPEL. Then we
are going to try to re-certify the existing public key for those who
practice public key pinning. If Certbot does not lend itself to
re-certifying a key then we will use a new keypair.

Stand by.

Jeff
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeffrey Walton
2018-09-14 01:30:24 UTC
Permalink
Post by Jeffrey Walton
Hi Everyone,
We are going to attempt a Let's Encrypt cut-over shorty.
The VM is CentOS 7 so we are going to install Certbot from EPEL. Then we
are going to try to re-certify the existing public key for those who
practice public key pinning. If Certbot does not lend itself to
re-certifying a key then we will use a new keypair.
OK, things went sideways. That's nothing new with a Linux LAMP stack that's
duct-taped together...

We are trying to figure out how to recover from the failed request. Also
see https://webmasters.stackexchange.com/q/117722/40589 .

Jeff
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeffrey Walton
2018-09-15 20:22:43 UTC
Permalink
Post by Jeffrey Walton
Post by Jeffrey Walton
Hi Everyone,
We are going to attempt a Let's Encrypt cut-over shorty.
The VM is CentOS 7 so we are going to install Certbot from EPEL. Then we
are going to try to re-certify the existing public key for those who
practice public key pinning. If Certbot does not lend itself to
re-certifying a key then we will use a new keypair.
OK, things went sideways. That's nothing new with a Linux LAMP stack
that's duct-taped together...
We are trying to figure out how to recover from the failed request. Also
see https://webmasters.stackexchange.com/q/117722/40589 .
I placed an order with Comodo on Friday for a new Domain Validated (DV)
certificate based on a CSR that used the existing private key. The
certificate has not issued yet.

Jeff
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeffrey Walton
2018-09-17 21:43:23 UTC
Permalink
Post by Jeffrey Walton
Post by Jeffrey Walton
Post by Jeffrey Walton
Hi Everyone,
We are going to attempt a Let's Encrypt cut-over shorty.
The VM is CentOS 7 so we are going to install Certbot from EPEL. Then we
are going to try to re-certify the existing public key for those who
practice public key pinning. If Certbot does not lend itself to
re-certifying a key then we will use a new keypair.
OK, things went sideways. That's nothing new with a Linux LAMP stack
that's duct-taped together...
We are trying to figure out how to recover from the failed request. Also
see https://webmasters.stackexchange.com/q/117722/40589 .
I placed an order with Comodo on Friday for a new Domain Validated (DV)
certificate based on a CSR that used the existing private key. The
certificate has not issued yet.
Now open in the issue tracker:
https://github.com/weidai11/cryptopp/issues/715
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeffrey Walton
2018-09-18 20:03:04 UTC
Permalink
Post by Jeffrey Walton
Post by Jeffrey Walton
Post by Jeffrey Walton
Post by Jeffrey Walton
Hi Everyone,
We are going to attempt a Let's Encrypt cut-over shorty.
The VM is CentOS 7 so we are going to install Certbot from EPEL. Then
we are going to try to re-certify the existing public key for those who
practice public key pinning. If Certbot does not lend itself to
re-certifying a key then we will use a new keypair.
OK, things went sideways. That's nothing new with a Linux LAMP stack
that's duct-taped together...
We are trying to figure out how to recover from the failed request. Also
see https://webmasters.stackexchange.com/q/117722/40589 .
I placed an order with Comodo on Friday for a new Domain Validated (DV)
certificate based on a CSR that used the existing private key. The
certificate has not issued yet.
https://github.com/weidai11/cryptopp/issues/715
Hi Everyone,

Jere's an update on the expired certifcate.

So there seems to be a problem with our Common Name. We attempted to Use *Crypto++
Project*. *Crypto++ Project* was rejected for illegal characters (even
though it is a utf8 string and all characters are legal). Next we attempted
to use *CryptoPP Project*. It seems the CA/Browser Baseline Requirements
forbids a friendly name like *Crypto++ Project* or *CryptoPP Project*.


Both the CA/Browser Baseline Requirements and RFC 5280 deprecate and
discourage use of a hostname in the Common Name. The Baseline Requirements
goes further and says hostname or nothing. We selected nothing because we
can't use a friendly name.


Two requests have been made to use a CSR without a Common Name to ensure we
comply with the CA/Browser Baseline Requirements and RFC 5280. We have to
make manual requests and wait for Comodo support because the web form won't
let us upload the CSR. It appears to be a bug in the web form.
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...