Let’s encrypt has become easier – avoid re-validation by rolling over within 60 days and avoid web server acme certificate protocol permission issues

The latest certbot-auto tool comes with a new feature (or I must have missed it 3 months ago) that spawns up a temporary web server on port 443.  This is a huge improvement IMHO as it avoids the permissions hassle you can have on a security-hardened web server installation (be it Apache, IIS, Nginx, …).  The Read More …

Let’s encrypt caveats

Following the instructions at https://certbot.eff.org/#ubuntuxenial-apache  didn’t do it for me.   With Apache, it’s always tricky.  I’m currently using a bitnami WordPress EC2 instance, so I had to figure out the certbot stuff. It was actually not that hard.  As with many command line tools, everything starts with reading the documentation 🙂 The certonly option does the trick!  Always. Read More …

Why you should never use OAuth2 for authentication purposes

What OAuth2 (RFC6749 at https://tools.ietf.org/html/rfc6749) tries to solve is delegated access control to a protected resource. Typically a user (the resource owner) gives consent so that a client can access a protected resource (a REST API endpoint for example). However, it is/was common to abuse the protocol and introduce special ‘scopes’ like ‘signin’ or ‘authn’ Read More …