Hey everyone,

Just a quick question, let’s encrypt, what is it and how can I take advantage of its services?

For a bit of background I’m trying to setup KanIDM and the need for a ca certificate is needed, I was told to use let’s encrypt to create it.

Just looking for knowledge.

Thanks!

  • CosmicTurtle@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    ·
    edit-2
    1 year ago

    When you go to just about any web site, your browser sets up an encrypted connection between you and the server so that anything you do on the web site can’t be observed by sniffing the traffic.

    Let’s Encrypt is a suite of software developed by the Electronic Frontier Foundation to bring this security to anyone with a website (or anyone with a webservice, really). What Let’s Encrypt provides you is a fully trusted certificate chain. As a result of making the certificate free for anyone (and I mean anyone) can use, the certificate is only valid for 90 days.

    You can purchase a trusted certificate that lasts longer but renewal is so easy that unless you need a higher “reputation” cert, it’s not worth it. Fun fact: cia.gov uses LE certificates!

    Not sure what KanIDM is but they are probably having you use an LE certificate to create a secure connection between clients and servers. It’s free and pretty easy to set up.

    Optionally, if you’re technically savvy, you can set up your own Certificate Authority and distribute it on your own. This gives you full control over your certificate linage but my guess is you won’t get the benefits of it.

  • Alado@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    5
    ·
    1 year ago

    Use Caddy as a web server and forget about setting up certificates forever. This masterpiece will take care of it.

    • pete_the_cat@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I had been using Nginx and LetsEncrypt for years and while it worked well most of the time, sometimes it was a bit of a pain, especially due to the verbosity of the Nginx config file. I was using both of them in docker containers and that requires you to have 3 specific environmental variables set for each container.

      I tried using Traefik, and while concise, it was still a bit confusing.

      I finally decided to give Caddy a try a few months back after hearing about it for years. I’m disappointed that I didn’t try it sooner because it’s so freaking simple to use. I rewrote my entire docker-compose file to use it because it’s that simple. I love how it takes literally 3 lines to create a SSL secured reverse proxy.

    • IAm_A_Complete_Idiot@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Kanidm wants to directly have access to the letsencrypt cert. It refuses to even serve over HTTP, or put any traffic over it since that could allow potentially bad configurations. It has a really stringent policy surrounding how opinionated it is about security.

        • IAm_A_Complete_Idiot@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Yeah. There’s reasoning for why they do it on their docs, but the reasoning iirc is kanidm is a security critical resource, and it aims to not even allow any kind of insecure configuration. Even on the local network. All traffic to and from kanidm should be encrypted with TLS. I think they let you use self signed certs though?

    • fraydabson@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      Love caddy. Took a little bit for me to understand but it’s an amazing tool. I barely use a fraction of its capabilities.

      • pete_the_cat@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I had been using Nginx for years until I finally switched to Caddy a few months ago, I’m disappointed in myself that I didn’t check it out sooner lol. Caddy is to Nginx like what Nginx is to Apache.

        I have like 15 reverse proxies setup and it takes the same amount of code that about 4 or 5 would take in Nginx.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    nginx Popular HTTP server

    [Thread #185 for this sub, first seen 4th Oct 2023, 16:45] [FAQ] [Full list] [Contact] [Source code]

  • Boring@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    A reverse proxy like nginx can automatically implement it for you. Probably the easiest way of generating and using your own SSL with let’s encrypt is a reverse proxy.

  • Makoto009@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Its a internet service/company that wants to make HTTPS available for everyone. Because of security reasons. You can create an Lets Encrypt Account, Register your servers DNS in any DNS service out there and then link your server to your Lets Encrypt Account. Then you can get SSL cert for your DNS Record/your server. I think it is valid for 90 days. You can renew the cert when there are 30 days left i think. So its free SSL for your webserver connection. This is a realy basic explanation but i think to understand what it does its enough ;) Hope this helps - If not, feel free to ask more :)

    Edit: your webserver must be accessible from the www

  • hperrin@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    If you own a domain name, you can point that domain name at your IP, and Let’s Encrypt’s cryptbot program can help you get a free TLS certificate to host all your stuff over https.

    With certain setups it can be renewed automatically, otherwise the certificate lasts 90 days, and renewal only takes a few minutes.

  • vector_zero@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’m going to cast another vote for a reverse proxy, such as NginxProxyManager. It’s really easy to set everything up, and they’re usually very easy to run in Docker/Podman.

    One thing to note: if you end up with a domain with mandatory HSTS, you’ll have to use DNS-based certificate generation rather than HTTP based, since unencrypted HTTP is blocked (chicken/egg problem to get HTTPS working). It’s not hard, but you have to be aware of that limitation.

    • pete_the_cat@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      As someone that used Nginx for close to decade, Caddy is about 10x simpler with the same features. It takes a bit to wrap your head around if you’re used to coming from an “old-school” webserver and proxy like Apache or Nginx though. One of the greatest things about Caddy is that it does SSL by default, so there’s no need to have stanzas in each section saying “listen on 80 and 443, but if you get a connection on 80 redirect it to 443” and another one saying “enable SSL for this (sub)domain”. Creating a reverse proxy in Caddy literally takes three lines and consists of FQDN { reverse_proxy internal-endpoint-name:portNumber }

      • vector_zero@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I’m actually almost completely unfamiliar with Nginx, short of a few hours of tinkering. NginxProxyManager is a direct competitor to Caddy, with a graphical interface, SSL cert creation and auto-renew, etc. I’m not going to say to switch from Caddy, since there’s probably no major benefit, but it’s much nicer than trying to figure out Nginx reverse proxies by hand.

  • lettruthout@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ve been using it for a few years (on a mail server and some websites) and am really happy. It’s worth looking into.

  • wildbus8979@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I don’t know KanIDM specifically so take this with a grain of salt.

    Let’s Encrypt only provides server certificates. The kind used to secure a connection (HTTPS, IMAPS, etc). KanIDM might require a Certificate Authority (CA) certificate to issue Client Certificates (used for authentication like MIME-S, WPA Enterprise, etc). Let’s Encrypt cannot be used for this purpose.

    • IAm_A_Complete_Idiot@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Kanidm doesn’t require a CA, it just requires a cert for serving https (and it enforces https - it refuses to even serve over HTTP). I think that was just the OP not quite understanding the conceptual ideas at play.