honestly you can buy a cert cheaply now. I think RapidSSL is like $18/year for a domain validated cert. On Tue, Mar 14, 2023, 8:26 PM Jonathan Chapman via vcf-midatlantic < vcf-midatlantic@lists.vcfed.org> wrote:
Yes, HSTS has been disabled. You can reach the site now while we are getting new certs installed. Just accept the expired cert.
I don't want to be telling folks how to do their jobs (especially since it's volunteer work), but that's a pretty rough suggestion nowadays. Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where changes to their API broke acme-client on OpenBSD. For that situation, simply giving mail an actual deliverable address to go to will let you know.
For more complex situations, like when the deployment of the cert sometimes fails because of (customer) client derps, I set up a CI job to do a HTTPS connection to the page (just a cURL will do it) and bomb if there's any errors or the cert is within X days of expiration.
Thanks, Jonathan