On Wed, Apr 2, 2025 at 3:24 PM Greg Wooledge <g...@wooledge.org> wrote: > > On Wed, Apr 02, 2025 at 12:03:32 -0700, Van Snyder wrote: > > On Wed, 2025-04-02 at 11:25 -0700, Van Snyder wrote: > > > On Wed, 2025-04-02 at 01:17 -0400, Timothy M Butterworth wrote: > > > > I am able to reach The Van Snyder's Web Site using the above IP > > > > address and URL on port 80 but not 443. I got a certificate error > > > > on 443. > > > > > > I've never before set up a secure server. I followed instructions at > > > a web page, whose URL I neglected to put into my notes, to set up the > > > SSL. > > > > > > I probably did something wrong. > > > > > > Was there a clue in the error message about what I did wrong? > > > > I got a security error too. It says the problem is that the certificate > > is self-signed. I have no idea what that means or how to repair it. > > *If* you want to go down this road, the simplest way is to install one > of the "Let's Encrypt" support packages and follow its instructions to > obtain and maintain a Let's Encrypt certificate. > > This is not just a one-time setup; the certificate expires every few > months and has to be updated, so there is a nightly cron job or similar > to check on it and replace it if it's sufficiently old. The good news > is, you only have to *do stuff* once, and the package should be able to > do the rest. > > There are several suitable packages for this; I'm using "dehydrated",
If you are going to use Let's Encrypt, the ACME protocol and Certbot for automatic renewals, then you should consider using the `--reuse-key` option to promote key continuity. Key continuity turned out to be a very useful security property. Key continuity was first experimented with in SSH under a system called Perspectives. The lessons learned are the foundation of SSH's StrictHostKeyChecking. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093139>. Jeff
