• Welcome to ScubaBoard


  1. Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

    Benefits of registering include

    • Ability to post and comment on topics and discussions.
    • A Free photo gallery to share your dive photos with the world.
    • You can make this box go away

    Joining is quick and easy. Login or Register now by clicking on the button

Time for a new SSL cert (Legacy Symantec cert)

Discussion in 'Suggestions' started by tep, Jul 28, 2018.

  1. tep

    tep ScubaBoard Supporter ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: San Diego CA USA
    453
    148
    43
    Hi, thanks for SB - my favorite online hangout. Thanks esp for the excellent moderation...

    I just noticed that the SSL cert is a "legacy Symantec certificate". I only noticed because I typically run Chrome Canary, which is 1-3 months ahead of the stable release. Canary (Chrome v70) has started throwing errors for the legacy Symantec certificates that are going to be untrusted by mainstream browsers in a few months.

    Screen Shot 2018-07-28 at 17.41.25.png

    Here's a description of what's going on.
    Google Online Security Blog: Distrust of the Symantec PKI: Immediate action needed by site operators

    Hopefully this will help you get a head start on a new cert and head off user confusion in about a month or so :)

    Cheers!
     
    RainPilot likes this.
  2. rsingler

    rsingler Scuba Instructor, Tinkerer in Brass Staff Member ScubaBoard Sponsor

    # of Dives: 500 - 999
    Location: Napa, California
    3,207
    3,512
    113
  3. Oz Chris

    Oz Chris Nassau Grouper

    # of Dives: 100 - 199
    Location: Sydney, Australia
    105
    58
    28
  4. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    990
    1,040
    93
    "tep" is spot on. Most browsers will be updated to remove the Symantec root CA certificates over the next couple of months. I, for one, will not be reinstalling any of them.

    Pete, if you are not already headed in this direction, I urge you to get a commercial server certificate from someone like DigiCert to replace your current GeoTrust server certificate. Why? The root CA certificate from any trusted Certificate Authority will already be installed in most common browsers, SSL will "just work," and life will go on.

    I'll note that everyone will have to reestablish their connections when you change the server certificate, but I expect most people won't even notice (or notice much).
     
  5. Sean Walberg

    Sean Walberg Nassau Grouper

    # of Dives: 25 - 49
    Location: Northern Virginia
    132
    97
    28
    Highly recommend Let's Encrypt. Not only is it free, but once you've got it set up it automatically renews certificates so you never need to worry about it.

    Since the site looks to be in AWS, Amazon has a certificate manager service that also issues free certificates though you might need to be on an ELB.
     

Share This Page