[aprssig] who forgot to renew aprs-is.net?
Heikki Hannikainen
hessu at hes.iki.fi
Fri Feb 11 10:57:01 EST 2022
On Tue, 11 Jan 2022, Pete Loveall AE5PL Lists via aprssig wrote:
> Andrew is correct about this being a browser issue. Aprs-is.net (and a
> number of other ham-related sites) is hosted on a shared IP address
> which precludes https as a switch protocol (unless you want to pay $$$
> for wildcard certificates covering all domains hosted).
In case you'd eventually like to use https for the other sites:
These days you can get a wildcard certificate for free from Let's Encrypt
(https://letsencrypt.org/). The combined downside and upside is that LE
certs are only valid for 3 months, so the renewal needs to be automated to
happen roughly every 2 months. Luckily there's a bunch of existing,
maintained scripts to do this. I use Let's Encrypt certs on aprs.fi - not
a wildcard cert though, but a single cert with a big bunch of different
names on it (aprs.fi, www.aprs.fi, api.aprs.fi, and all the languages:
fi.aprs.fi, https://de.aprs.fi/, https://ja.aprs.fi/ ...).
All recent browsers (since about 10 years) also support the SNI TLS
extension (RFC 3546, RFC 6066). They tell the https server the hostname
they'd like to talk to in the very beginning of the handshake, so that the
server can then choose which server certificate to present. Name-based
virtual hosting on a single IP with TLS and multiple different
certificates is relatively easy to configure - on Apache or NGINX I just
give them the different certs for different virtual servers and assign
them with the same IP, and it works. I see you're using IIS, IIS version 8
in 2012 added SNI support.
https://en.wikipedia.org/wiki/Server_Name_Indication
- Hessu
More information about the aprssig
mailing list