purg.atory – a personal blog by elyograg

Certificate Fun – StartCom

I had been using StartCom for certificates for quite some time, because they offered them for free and were always reliable.  This was the case for both work and home.  This blog runs on my home server.

Thanks to some funny business by the company that purchased StartCom, they have been targeted for distrust by major browser vendors.  Mozilla opted to distrust all certificates issued by StartCom after a certain date.  Google initially did the same thing with Chrome, but later they got more aggressive.

At work, we actually paid StartCom for their service, because we wanted to create certificates that they don’t issue for free.  We only had one certificate that ran afoul of Mozilla’s changes, all the rest still worked just fine in products like Firefox and Thunderbird.  At home, I had a number of certificates issued after Mozilla’s cutoff date.  I was definitely caught off guard.

At work, I obtained a new certificate from LetsEncrypt to replace the one certificate that we couldn’t use any more.  At home, I didn’t take any immediate action, even though most of my personal secure sites began failing in both Firefox and Chrome.

Then, as mentioned above, Google got even more aggressive in Chrome version 58, and suddenly most of the certificates at work were failing validation in Chrome.  A few that were really old and approaching expiration still worked.  Keep in mind that every single one of these certificates was still accepted without issue by Firefox.

We have mostly fixed the problems at work by obtaining an relatively inexpensive certificate from one of StartCom’s partners that contains wildcards to cover most of the certificates that we could no longer use.  For some of the rest, I have created LetsEncrypt certs.

At home, I have just completed a migration to LetsEncrypt for ALL of my active domains, including this blog.

All of the problems that StartCom has encountered were due to the actions of another company.  I think it was unfair of the browser companies to mark them guilty by association … but my opinion counts for little.

Distrusting New WoSign and StartCom Certificates

Followup, autumn of 2021: Using LetsEncrypt for my certificates works, but has been a little bit painful because they’re only valid for 90 days. I am using DNS validation with certbot, and because my DNS provider is web-based, manually adding all the validation DNS records takes a fair amount of time. Thankfully I found a validation hook script for my DNS provider so cert renewals are almost fully automated. Last hurdle for automation is getting the updated cert to the other servers and restarting services.

elyograg

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.