Dashboard doesn't trust Let's Encrypt? (Spoiler Alert: It does)
So I got this email from Meraki yesterday:
And since I have a few testing code snippets that I use for Webhooks and the Scanning API I figured I should get my butt in gear and convert them to HTTPS.
I don't have my own public CA, and certs are expensive, so I thought I'd just use Let's Encrypt to get myself a free cert that I can tie into my test tools. But, after I got it all set up the Dashboard is failing when I try and use the "Validate" button for the Scanning API, or the "Send Test Webhook" button for webhooks. I have validated that my cert is installed correctly and working by pointing my browser and curl at my tools and they both work fine.
I suspect that the Meraki Dashboard does not trust certificates from Let's Encrypt... So I've opened a case with support to ask the question, but while I wait I thought I'd throw the question out to the community to see if anyone has gone through this before and knows the answer ?
If Let's Encrypt not trusted hopefully I can convince Meraki to add them 🙂
From what I know of, Letsencrypt is trusted by all major Root CAs. So in principle it should be secure enough.
On the other hand, I remember to have read somewhere that many don't see Letsencrypt as a safe free encryption body any more, due to its ease in creating SSL certificates.
Before, you could trust that if someone uses HTTPS the website was regarded as safe/free of malicious software, because certificates weren't easy to get, and people trusted it. With Letsencrypt, it has become too easy for malicious entities to create websites, even using Letsencrypt.
A domain validated certificated is just that - domain validated only. You can do this manually, or you can do it programatically (which Lets Encrypt does) - but it is that level of validation that establishes the security or safety of the system, and not weather a user proceses the request themselves via a website or a program does.
Probably the biggest plus with Lets Encrypt is that it only issues certificates for 3 months. This is a huge step forward for security when a breach or theft occurrs, as it sets the maximum time scope. It's like a password change policy.
The old human issues certificates can be issued for up to 2 years - 8 times longer.