Get Wild

2014-11-24 13:11

This has been an SSL-only site for two years, but the price is finally right for me to justify a *.cooltrainer.org wildcard SSL certificate. At the moment I have three single-domain Comodo PositiveSSL certificates, one for the top-level cooltrainer.org with an altName for www., one for gigadelic.cooltrainer.org, the server hosting this page, and one for my home NAS evila.aloe.cooltrainer.org. Collectively they secure this web site (hi!), SMTP and IMAP for my email, my XMPP chats, mumble voice chat, file syncing, and more. For the same $30 a year I was able to get a five-year wildcard certificate from an AlphaSSL reseller using a 50% off coupon code. That’s even cheaper than StartSSL’s yearly verification fee and doesn’t require sending scans of my identification documents to a foreign CA. I’m not here to shill so I won’t link the reseller I used, but a search should get you there if you’re interested.

The AlphaSSL cert requires one less intermediate CA certificate to be delivered in the chain, meaning faster handshakes and quicker page loads. AlphaSSL certs are signed by GlobalSign, and I’m happy to find they provide a subjectAltName for the apex domain when ordering a wildcard. Some CAs supply certificates that cover anysubdomain.example.com but not example.com itself. Some people advocate hosting on www and redirecting the apex there, but I think their “people are just so dumb!” argument for it is pretty flat. WWW is implied by port 80 or port 443, thank you, and I want to continue hosting on the apex because I like the aesthetics. I went out of my way to specify the subjectAltName in my certificate signing request using an OpenSSL configuration file since the interactive mode will not prompt for it, but I don’t think that’s actually necessary with this particular CA. I like having a config anyway so I don’t have to retype my information each time.

wildcard.cooltrainer.org.conf 
  1. [ req ]

  2. default_bits        = 2048

  3. default_keyfile     = wildcard.cooltrainer.org.key

  4. distinguished_name  = req_distinguished_name

  5. req_extensions     = req_ext

  6. 

  7. [ req_distinguished_name ]

  8. countryName           = Country Name (2 letter code)

  9. countryName_default   = US

  10. stateOrProvinceName   = State or Province Name (full name)

  11. stateOrProvinceName_default = California

  12. localityName          = Locality Name (eg, city)

  13. localityName_default  = San Francisco

  14. organizationName          = Organization Name (eg, company)

  15. organizationName_default  = Cooltrainer

  16. organizationalUnitName          = Organizational Unit Name (eg, section)

  17. organizationalUnitName_default = Rapid 99

  18. commonName            = Common Name (eg, YOUR name)

  19. commonName_default    = *.cooltrainer.org

  20. commonName_max        = 64

  21. 

  22. [ req_ext ]

  23. subjectAltName          = @alt_names

  24. 

  25. [alt_names]

  26. DNS.1   = cooltrainer.org

My old three-certificate system worked, but I had to move a bunch of services and files to subdirectories of domains with SSL coverage. Downloads for my own software and the distfiles for my ports had to leave update., and I have a pile of horrible rewrite rules in nginx.conf on my NAS to make applications like Owncloud and Friendica work correctly. I’m excited to be able to take advantage of DNS again for securely hosting jailed services on subdomains. I’ll still be reverse-proxying HTTP since my Comcast overlords only grace me with a single NATed IPv4 address, but that at least means the jails can be IPv6 only on my LAN! Having a wildcard cert means I can finally declare HSTS headers with includeSubDomains and get on the preload list.

The centralized certificate authority model is still awful and broken. You might be surprised at the number of root CAs trusted by your browser or by your operating system, and any one of them can issue a valid certificate for any domain. CAs have been socially engineered, hacked, and otherwise soundly owned many times in recent history. They arbitrarily inflate the prices of wildcard and other specialty certificates and even invented Extended Validation certificates as a new way to scare website owners into shelling out for more and more expensive 2048-byte blocks of text. Their racket has lived far too long and hopefully a distributed replacement system like Convergence catches on and lets the web fully encrypt. Until then I’ve at least bought myself some flexibility.