Comment by tmmm
11 years ago
Won't people need to have LetsEncrypt CA certificate installed on their computers to not get that red SSL incorrect certificate thing? Other than that, this is awesome.
11 years ago
Won't people need to have LetsEncrypt CA certificate installed on their computers to not get that red SSL incorrect certificate thing? Other than that, this is awesome.
IdenTrust will be cross-signing our roots while we apply to root programs.
Thanks for the clarification! You might want to add that point to your technical how-it-works section[1]. I was wondering how older browsers would accept a new CA's signature.
Also, I really wish AOL would have donated their root certs to y'all[2] so you didn't have to set up a whole new CA.
[1]: https://letsencrypt.org/howitworks/technology/
[2]: https://moderncrypto.org/mail-archive/messaging/2014/000618....
I don't know why AOL keeps being brought up, but it's highly unlikely they would do this. For one, it's probably used internally for smart cards/SMIME. Secondly, it'd be very hard to get AOL to spend money on doing something for free. Moving a CA to a different company is no small feat, operationally...
3 replies →
The "How It Works" page (https://letsencrypt.org/howitworks/) says:
- Obtain a browser-trusted certificate and set it up on your web serve
IdenTrust is listed as a sponsor and is the CA for the letsencrypt.org certificate so I'm guessing they're doing some sort of partnership.
I mean ordinary people who will visit the page.
"browser-trusted certificate" < it is already trusted by them
I just installed it including all its Python dependencies, and tried it on my Apache server, but it throws me tons of Python errors.
It would be super-awesome of you if you could let us know about those errors at
https://github.com/letsencrypt/lets-encrypt-preview/issues
or e-mail me about them. So far this has only been tested on a handful of configurations and will clearly need to be tested on many more over the next few months.
Please be careful when running it on your live server: if it does manage to get a cert right now, that cert won't be accepted by clients and will produce cert warnings (and if you use the "Secure" option at the end, you'll also be generating redirects from the HTTP site to the cert-warning-generating HTTPS version).