what do you guys use for SSL/TLS

I was wondering what you guys use for HTTPS and other cert related connection. Do you guys buy the certs or started using lestencrypt?

OpenMRS buys certificates. LetsEncrypt certs must be renewed every 3 months. We use SSL2Buy. I would recommend Let’s Encrypt – it’s easy to set up a cronjob to renew it without any intervention.

I would recommend Let’s Encrypt – it’s easy to set up a cronjob to renew it without any intervention.

That is why I ask because of that same feature. You can just save the cost and process of getting the cert and automate it.

At Partners In Health, we use a wildcard SSL certificate for all our OpenMRS and other servers. Let’s Encrypt doesn’t offer a wildcard certificate. It makes it much easier to deploy a server using automated build scripts when we have a single wildcard certificate.

1 Like

True but, in that deployment you can include the script that creates and configures your cert. Depending how you do your automation let it handle it without touching it.

For any publicly visible server, LetsEncrypt is a great option with these advantages:

  • More secure. Individual certs are more secure than wildcard certs, since the security of a wildcard certificate is diminished every time it’s copied onto another server.
  • Automated. Both eliminates certs expiring before getting manually renewed and limits the risk of a compromised cert, since LetsEncrypt certs are only valid for 3 months.
  • Free!

With these advantages, there’s little reason to purchase TLS certs for public servers any longer. If you want to secure servers that are not publicly visible (e.g., offline or behind a VPN) with valid (i.e., not self-signed) certs, then you cannot use LetsEncrypt and need to find an alternative.

I see little reason to switch. Everything works for us right now. I’m a fan of “let’s not break what’s not broken” – Wildcard certs are a good thing. This is just my opinion. Our wildcard certificate is valid until 2018. We can revisit this then. I would think it’d be a pain the butt with the way OpenMRS does things. We use ansible to provision new servers, keep our servers updated, and add users to servers (using ssh keys).

I only brought it up as a discussion only. Not trying to change things.

That is fine, just saying in the case of wildcard SSL certs, what we’re doing works.

I do know how easy it is provision letsencrypt, I did it recently.