Correct way to transfer a SSL certificate

aboka · 06-22-2020, 02:27 PM

phew, hv manage to solve that issue by following a guide on webdock - allowing access to the '.wellknown' in the config. think now only left is more test and find ways to backup and restore the cert to a new server. will try tomorrow as its nearly 5 in the morning. time flies trying to fix things like this

thanks and will post back soon. cheers.

aboka · 06-23-2020, 09:53 AM

Ser Olmy - hi, hopefully can hv time tomorrow and try the last step - backup and restore the cert. would like to confirm the steps again with you:

1) disable everything on old server- SE, nginx, certbot

2) setup SE and backup its config from old to new

3) setup nginx and certbot the same way on new server - except generating a certificate. disable nginx and certbot

4) create the folders on the new server and upload everything inside "/etc/letsencrypt/live/vpn885951179.softether.net/" to new server

beside using SE ServerCertSet to point the SSL to the server, anything we need to 'update'? or they will just work after rebooting?

thank you,

Qusserel · 06-23-2020, 02:10 PM

Quote:

Originally Posted by Ser Olmy

Yes, it would work. The provider I linked to explicitly supports the validation mechanism used by Let's Encrypt, but even other providers might work if you use web server authentication.

And no, a DDNS name is not a "pointer". It's a regular DNS host record, just like any other. In DNS, a "pointer" (PTR) is a specific type of record that points to a hostname from an IP address. That's not at all what we're talking about here.
What does that have to do with anything? You do realize that there's absolutely no relation between a VPS provider and a DNS name?
If you read up on the X.509 standard, any uncertainties will instantly vanish.

SoftEther uses OpenSSL. The moment they realize "hey, our code allows for invalid Subject names in certificates!" they may decide to fix it. And then your setup instantly breaks.
That's how one might set up SSL in a lab environment. On the Internet, self-signed certificates are either a serious security risk or a major nuisance, depending on how the client is configured.

Your setup falls into the latter category, which is fortunate. Now all you have to do is switch to a proper SSL certificate, and your setup should be secure and pretty much maintenance-free.
That only applies if the clients are configured to uncritically accept any self-signed certificate. https://eduzaurus.com/free-essay-samples/gun-control/ Incompetent people have been known to do this to avoid manually having to deploy the certificate, which means they've basically disabled the authentication part of SSL/TLS.

If all self-signed certificates are good, then the certificate I just made is perfectly fine, and I can just intercept their SSL handshake and impersonate the server. Inside the SSL stream, authentication is done in plain text, so now I've got your username and password. And if I just forward the traffic to the real server, I've got your data as well.

You probably should have researched this before setting up your VPN. That way you wouldn't have painted yourself into a corner like this, and you wouldn't have had to deploy the certificate manually at all. Just something to keep in mind next time you want to setup something for the first time.

Sorry if I'm sounding a bit harsh, but security-related misconfigurations can have serious implications for every user involved.

Thank you very much for your answers, very helpful.