Our great sponsors
-
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
acme-dns
Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
-
docker-swag
Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
I think I explained myself badly. Im entering sites INTO https://web.dev that we make at work. Web.dev is basically Google Lighthouse and tests your website for basic performance, seo, best practices and A11Y.
So for example I enter mycustomer.com and it tells me "avoid http redirects" because I didn't enter the https:// before.
Hsts is included in one of our packages which also includes CSP settings and other security stuff, but barely anyone buys that.
The devcert tool (and its corresponding devcert-cli command-line interface) is very handy for creating a local root certificate authority that you control & your device trusts:
https://github.com/davewasmer/devcert
If your domain provider's API sucks, or doesn't exist, or requires generating a password/key with more permissions than you're willing to give a script, look at acme-dns [1] and delegated DNS challenges:
https://github.com/joohoi/acme-dns
Letsencrypt provide a really good service.
I can recommend the docker image made by linuxserver in particular [0]. Makes Https a (tax free) breeze.
[0] https://docs.linuxserver.io/general/swag
> I wish there was a solution for those of us who develop web interfaces for embedded products designed to live on LAN
There almost is! Instead of self signed certificates, use a certificate authority, and install that on the LAN's machines. https://github.com/devilbox/cert-gen
You can use macOS Server or Active Directory to push out the Certificate as trusted.
It's not perfect, but it's close enough for a LAN.
The article you linked to is kind of confused and I'm not sure I blame them. This stuff is really complex!
According to the proposal[0], leaf certificates are prohibited from being signed with a validity window of more than 397 days by a CA/B[1] compliant Certificate authority. This is very VERY different from the cert not being valid. It means that a CA could absolutely make you a certificate that violated these rules. If a CA signed a certificate with a longer window, they would risk having their root CA removed from the CA/B trust store which would make their root certificate pretty much worthless.
To validate this, you can look at the CA certificates that Google has[2] that are set to expire in 2036 (scroll down to "Download CA certificates" and expand the "Root CAs" section) several of which have been issued since that CA/B governance change.
As of right now, as far as I know, Chrome will continue to trust certificates that are signed with a larger window. I've not heard anything about browsers enforcing validity windows or anything like that, but would be delighted to find out the ways that I'm wrong if you can point me to a link.
Further, your home made root certificate will almost certainly not be accepted by CA/B into their trust store (and it sounds like you wouldn't want that) which means you're not bound by their governance. Feel free to issue yourself a certificate that lasts 1000 years and certifies that you're made out of marshmallows or whatever you want. As long as you install the public part of the CA into your devices it'll work great and your phone/laptop/whatever will be 100% sure you're made out of puffed sugar.
I guess I have to disclose that I'm an xoogler who worked on certificate issuance infrastructure and that this is my opinion, that my opinons are bad and I should feel bad :zoidberg:.
[0] https://github.com/cabforum/servercert/pull/138/commits/2b06...