Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Firefox - on the security exceptions - self-signed certificates
  • From: Jan Ritzerfeld <suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 08 May 2016 11:44:16 +0200
  • Message-id: <1770220.S3UzSr4EOY@karl>
Am Sonntag, 8. Mai 2016, 10:05:15 schrieb Vojtěch Zeisek:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
[...]
However, if "internal purposes" means that only a limited set of people
should access the Web Server of your NAS via a regular domain name then

Yes, it is the case, so that I think own CA is too much work...

Well, it is not that easy, but I think deploying your CA certificate on all
the clients might be too much work if you have to persuade the users of the
clients to trust all of your certificates even if the ones issued for
*.google.com. ;)

upgrade to DSM 6 and use Let's Encrypt to remove the necessity of
creating and deploying any CA certificate at all. I cannot do it this
way because my NAS is accessible only via VPN, intentionally.

I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I
wonder why it needs port 80 opened...

No, because I do not want to expose my NAS to the whole Internet. And Let's
Encrypt needs port 80 or 443 opened to validate your ownership of the domain
regularly. This is why Let's Encrypt certificates expire pretty soon. So, if
you want to restrict access to your NAS via IP addresses, you cannot use the
automatic renewal of your certificate and have to do this manually, every 90
days. And this is why "I cannot do it this way" but I still like the idea of
Let's Encrypt very much.

Gruß
Jan
--
It's better to keep your mouth shut and appear stupid, than to open it and
remove all doubt.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >