what do you guys use for SSL/TLS

chagara · July 6, 2016, 1:33am

I was wondering what you guys use for HTTPS and other cert related connection. Do you guys buy the certs or started using lestencrypt?

r0bby · July 6, 2016, 5:16am

OpenMRS buys certificates. LetsEncrypt certs must be renewed every 3 months. We use SSL2Buy. I would recommend Let’s Encrypt – it’s easy to set up a cronjob to renew it without any intervention.

chagara · July 12, 2016, 7:56pm

I would recommend Let’s Encrypt – it’s easy to set up a cronjob to renew it without any intervention.

That is why I ask because of that same feature. You can just save the cost and process of getting the cert and automate it.

ball · July 12, 2016, 8:18pm

At Partners In Health, we use a wildcard SSL certificate for all our OpenMRS and other servers. Let’s Encrypt doesn’t offer a wildcard certificate. It makes it much easier to deploy a server using automated build scripts when we have a single wildcard certificate.

chagara · July 12, 2016, 8:20pm

True but, in that deployment you can include the script that creates and configures your cert. Depending how you do your automation let it handle it without touching it.

burke · July 13, 2016, 1:48am

For any publicly visible server, LetsEncrypt is a great option with these advantages:

More secure. Individual certs are more secure than wildcard certs, since the security of a wildcard certificate is diminished every time it’s copied onto another server.
Automated. Both eliminates certs expiring before getting manually renewed and limits the risk of a compromised cert, since LetsEncrypt certs are only valid for 3 months.
Free!

With these advantages, there’s little reason to purchase TLS certs for public servers any longer. If you want to secure servers that are not publicly visible (e.g., offline or behind a VPN) with valid (i.e., not self-signed) certs, then you cannot use LetsEncrypt and need to find an alternative.

r0bby · July 13, 2016, 8:35am

I see little reason to switch. Everything works for us right now. I’m a fan of “let’s not break what’s not broken” – Wildcard certs are a good thing. This is just my opinion. Our wildcard certificate is valid until 2018. We can revisit this then. I would think it’d be a pain the butt with the way OpenMRS does things. We use ansible to provision new servers, keep our servers updated, and add users to servers (using ssh keys).

chagara · July 13, 2016, 10:25am

I only brought it up as a discussion only. Not trying to change things.

r0bby · July 13, 2016, 10:30am

That is fine, just saying in the case of wildcard SSL certs, what we’re doing works.

I do know how easy it is provision letsencrypt, I did it recently.