@wrcombs said in Certificate Authorization Error:

@jaredbusch said in Certificate Authorization Error:

@wrcombs said in Certificate Authorization Error:

Any ideas?

Also, update windows and Chrome.

Did windows updates this morning and chrome is up to date..

You just want to make sure Windows and Chrome have the latest CA root certs in their stores... that's why he's recommending doing that.

@JaredBusch said in Validation when renewing let's encrypt?:

@Pete-S said in Validation when renewing let's encrypt?:

When LE certs are renewed are they using the same type of validation again as when they are created?

(We're using certbot)

They should, yes.

OK, thanks.

@dbeato - Thanks. Maybe it didn't used to be in red.

Thanks for your suggestions. Taking the results to my client.

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-cert

Thanks this pointed me in the right direction, a useful guide coming soon

@JaredBusch said in OpenSSL CSR with Subject Alternative Name:

@EddieJennings said in OpenSSL CSR with Subject Alternative Name:

@JaredBusch Correct. The "ye olde way" is how I've typically made a CSR and private key. The link I included talks about making a configuration file, which allows you to include SAN in your CSR.

Ah, did not read the link. Yes, using a config file is the only method to get any SAN on a cert with OpenSSL.

And after re-reading my post, I realized how terrible it was :(. I was hoping to find a one liner kind of thing, but alas. That particular article made it clear how to do it.

@Mike-Davis said in AD CS hosed - anyone have any experience?:

@scottalanmiller said in AD CS hosed - anyone have any experience?:

So the SBS is the one and only AD in this case?

Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers.

In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands?

Right, I'm talking about an AD application cluster (the set of domain controllers for one domain.) SBS has to be the root controller in order to work. And if you have a cluster (this isn't AD specific but is a general thing about clustering) you can't do restores. If you restore a cluster node like this, you corrupt the entire cluster in many cases, if you are lucky just one node. AD DCs form a database cluster under the hood, which is how they handle failovers, but that means that you have to protect them like a normal database cluster and let them resync from a rebuild, never do a restore.

https://community.spiceworks.com/topic/1988106-ad-logins-dont-work-after-baremetal-restored-windows-2008-dc

Yes, you'll likely need to seize roles on one of the 2012 R2 machines and just retire the SBS 2003 machine.

@IRJ said in Logical IT Certification Progression:

@Dashrender said in Logical IT Certification Progression:

@scottalanmiller said in Logical IT Certification Progression:

@Dashrender said in Logical IT Certification Progression:

@guyinpv said in Logical IT Certification Progression:

al details. I don't regret buying or reading through any of them. Books on Windows, DOS, printers, networks, repair and troubleshooting techniques, system design and building, etc etc. All of that is good.

Answer questions posed at an interview.

Besides, bench techs don't think, according to @scottalanmiller, they work by script - aka, reading a script and doing what it says. Once you have to start making decisions, you're no longer a bench tech, you're in IT.

Not quite, but that's closer. Bench is about tech, about consumer gear or business stuff that falls into consumer spaces. IT is "Business Information Infrastructure."

Lots of bench people make decisions. Like if you are building a white box desktop for a gamer, the bench guy will likely make several decisions from CPU to GPU to RAM to case and power supply. It's not a script, but it is not BII, either.

hey - you're making it grey again 😛

There isn't nearly as many strictly hardware people anymore these days.

Not nearly, most are in datacenters now.

@Jason said:

@axigen said:

@Jason said:

Comodo provides them

Hi @Jason. Thanks for your note. I do not seem to see how I can get one for free. I am browsing their site and see that in the Free SSL section they only appear to provide 90 days 'free' for SSL certificates, no mention of S/MIME anywhere...

https://secure.instantssl.com/products/frontpage?area=SecureEmailCertificate&currency=USD&region=North+America&country=US

Really curious about how you found that 😉 on their website.

I understand the additional points such as automated validation and the open records, but you can get free SSL certificates through StartSSL. The companies who don't want to pay for an SSL certificate (or do the research to find a free one) are most likely using shared hosting or some kind of managed hosting that costs extra to enable the SSL certificate anyway. So if they aren't going to pay the money for the cert, I can't see them paying extra per month to enable the free cert on their hosting.