Haven't been a fan of www domains and that was what this forum was using - www.ledstrain.org

I've switched it to ledstrain.org

Requests made to www.ledstrain.org will be redirected to ledstrain.org.
https made this more tricky - but it should be working fine now

Yeah, same.

I noticed you are using Let's Encrypt CA now. When I went to www.ledstrain.org I got a certificate warning becuase one of the subject names wasn't www.ledstrain.org. Fix is to add that as a subject name in the LetsEncrypt certificate or use the old StartCom certificate for www.ledstrain.org only.

Also if you're interested I've been working on my own modifications on the "simp_le" Let's Encrypt/ACME client (to better support virtual hosting, auto renew, etc.)

(also, do posts in the Meta section not show up on the front page?)

ledstrain.org has the LetsEncrypt certificate while www.ledstrain.org has the StartCom one.

| ssl-cert: Subject: commonName=ledstrain.org
| Issuer: commonName=Let's Encrypt Authority X1/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2016-03-02T00:59:00+00:00
| Not valid after:  2016-05-30T23:59:00+00:00
| MD5:   c01c 0cbb dfe0 77a7 ca9f 72c9 da49 65f9
| SHA-1: 9eba 265f bf10 8ea4 2a1c 1e78 8089 8579 b8e2 f347
 ssl-cert: Subject: commonName=www.ledstrain.org/countryName=US/emailAddress=ledstrain.org@respectmyprivacy.com
| Issuer: commonName=StartCom Class 1 Primary Intermediate Server CA/organizationName=StartCom Ltd./countryName=IL/organizationalUnitName=Secure Digital Certificate Signing
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-09-02T12:23:06+00:00
| Not valid after:  2016-09-02T03:27:39+00:00
| MD5:   abaa 9e18 65ce 3d89 7661 f9b7 32f0 caf6
| SHA-1: cdc8 0452 06d4 95b0 d282 ab79 574b 3728 fb16 c185

@JTL
This really needs a "auto follow" thing.
I believe I got it configured now, let me know if it's still giving certificate errors. As for the different certs, that is because the let's encrypt one didn't have www.ledstrain.org supported and I needed it to work - So I used two different valid ones.
However, I believe I just fixed this. They should both be supported under one cert now..

Meta posts don't show up. I chose that cause it doesn't really have to do anything with the main purpose.

Hmmm. Both certs scanning with nmap for both www. and just ledstrain.org are the one cert for just ledstrain.org (NMap's SSL detection is SNI aware)

  • hpst replied to this.

    Yeah, one certificate. It should be valid for both www.ledstrain.org and ledstrain.org

    https is getting on my nerves.
    changed the www back to startcom.

    • JTL replied to this.

      Also as I mentioned above

      Also if you're interested I've been working on my own modifications on the "simp_le" Let's Encrypt/ACME client (to better support virtual hosting, auto renew, etc.)

      Have a private GitHub repository with the current code, email me for access. Some things (IMO) still need work though.

        19 days later

        Ok - identified the issue. Had two folders containing certs - www.ledstrain.org/ and ledstrain.org/ >.<
        was referring to the wrong one since it contained the "old" domain - thus never showing www.ledstrain.org as the alternate. I noticed the "extra" folder just yesterday..
        So now both www.ledstrain.org and ledstrain.org should be through let's encrypt 😉 and my own test says it's good..
        @JTL is it erroring?

        JTL Have a private GitHub repository with the current code,

        Probably won't be doing that atm, It's updating very often with the main one. Make PR's with the primary one?

        • JTL replied to this.

          Slacor Tested with nmap and openssl s_client (both support SNI)

          All works fine and the SAN works.

          Probably won't be doing that atm, It's updating very often with the main one. Make PR's with the primary one?

          Fair enough. It still needs some unit testing done until I consider it stable. Just like the small auditable codebase vs the monster that is the let's encrypt main client with auto config (which I don't need)

          I feel making pull requests against the primary version would be inappropriate as it is customized more for my use cases, rather than being "simple".

          dev