2016-02-09

SSF*L

Updated


F* stands for Flawed.


On the way to make OSM Buildings a bit more secure and the data backend more convenient to use, https had to come into play.
Still a small project I've put big hope into letsencrypt in order to get free certificates.

Domain setup


osmbuildings.org - primary website
   www.osmbuildings.org - forwards the primary website
   cdn.osmbuildings.org - serves static scripts
  data.osmbuildings.org - entry point all the data
a.data.osmbuildings.org - alternative sub-sub domain for parallel loading
b.data.osmbuildings.org - alternative sub-sub domain for parallel loading
c.data.osmbuildings.org - alternative sub-sub domain for parallel loading
d.data.osmbuildings.org - alternative sub-sub domain for parallel loading

It's most important to cover the "data" subtree as this is the core service for users.

When letsencrypt went live, it was just disappointing that certificates will expire after 90 days. It's very inconvenient not to miss a quarterly update point.
Also they offer no Wildcard certificates. It means refreshing every single domain.

Complicating fact is that the "data" subtree is not served by any common web server. Means manual updating.

I think, that's all concession to big commercial CA's in order to get their cross signature.

Ok, we've outgrown the SSL for personal use.

Next stop StartSSL.


I've ordered a Wildcard certificate and the process felt endless.
No information about what documents they really need, extensive loops after every single upload + reply.
Then no clear information about what would be missing or when the process will be completed.

I stopped the nightmare after a week.

Still not able to spend thousands on SSL, I was willing to increase the budget.

Wildcard certificates


My choice was RapidSSL cert, re-sold by my server provider.
And suddenly things went fast and seemingly well.

But then I learned what Wildcard really means:

coverage for *.osmbuildings.org

osmbuildings.org - YES
   www.osmbuildings.org - YES
   cdn.osmbuildings.org - YES
  data.osmbuildings.org - YES
a.data.osmbuildings.org - NO!
b.data.osmbuildings.org - NO!
c.data.osmbuildings.org - NO!
d.data.osmbuildings.org - NO!

The most important addresses would not be covered!
I had to learn this is as intended in RFC6125.
I was told to buy another Wildcard cert for the sub-sub domains. Doubling the price made clear who profits from such regulation.

Then I just tried to change the certificate to cover all the "data" subtree.
Not possible. I had to cancel all and reorder.

If *.osmbuildings.org covers osmbuildings.org and its sub domains,
then a Wildcard like *.data.osmbuildings.org should cover data.osmbuildings.org and it's sub domains.

expected coverage by *.data.osmbuildings.org

osmbuildings.org - NO
   www.osmbuildings.org - NO
   cdn.osmbuildings.org - NO
  data.osmbuildings.org - YES
a.data.osmbuildings.org - YES
b.data.osmbuildings.org - YES
c.data.osmbuildings.org - YES
d.data.osmbuildings.org - YES

Again, that's not the case. Now pure data.osmbuildings.org remains uncovered.
I call rip off.

Update


As RapidSSl certificate combination didn'T help me either, I went back to StartSSL and spent more time in reading carefully what's possible with their services.

Seemingly all requirements could be covered so I gave them another try. Luckily all my uploaded documents were still present.

It required some pushing but at the end, I bought one validation and can now use Wildcards and multiple domains together.
Just a single certificate to be installed once.

A good note on RapidSSL: cancelling my orders went fast and without any questions.

Shady paths


On my way to finding providers, I've hit the original vendors that are just excessively expensive. Then websites like rapidsslonline.com (compare with rapidssl.com) that look like a copy, but are much cheaper.
But no word about what they are. Resellers? A branch? Just fraud?

Also found some promising German providers. Usually doesn't matter but it helps a lot if you speak same language as your support peer.
But for all either: their certificate was issued to some far asian company, was invalid or non existent.

All this is not creating trust. Especially in such sensitive business.

That's why I think the system is seriously flawed.