Re: [vcf-midatlantic] social.vcfed.org is down again
Yes, HSTS has been disabled. You can reach the site now while we are getting new certs installed. Just accept the expired cert.
I don't want to be telling folks how to do their jobs (especially since it's volunteer work), but that's a pretty rough suggestion nowadays. Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where changes to their API broke acme-client on OpenBSD. For that situation, simply giving mail an actual deliverable address to go to will let you know. For more complex situations, like when the deployment of the cert sometimes fails because of (customer) client derps, I set up a CI job to do a HTTPS connection to the page (just a cURL will do it) and bomb if there's any errors or the cert is within X days of expiration. Thanks, Jonathan
honestly you can buy a cert cheaply now. I think RapidSSL is like $18/year for a domain validated cert. On Tue, Mar 14, 2023, 8:26 PM Jonathan Chapman via vcf-midatlantic < vcf-midatlantic@lists.vcfed.org> wrote:
Yes, HSTS has been disabled. You can reach the site now while we are getting new certs installed. Just accept the expired cert.
I don't want to be telling folks how to do their jobs (especially since it's volunteer work), but that's a pretty rough suggestion nowadays. Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where changes to their API broke acme-client on OpenBSD. For that situation, simply giving mail an actual deliverable address to go to will let you know.
For more complex situations, like when the deployment of the cert sometimes fails because of (customer) client derps, I set up a CI job to do a HTTPS connection to the page (just a cURL will do it) and bomb if there's any errors or the cert is within X days of expiration.
Thanks, Jonathan
On Tue, Mar 14, 2023 at 11:14 PM Christian Liendo via vcf-midatlantic < vcf-midatlantic@lists.vcfed.org> wrote:
honestly you can buy a cert cheaply now. I think RapidSSL is like $18/year for a domain validated cert.
I believe that it is all covered. We had one before, but it needed to be renewed by Bob. He is hosting all our VCF stuff.
On Tue, Mar 14, 2023, 8:26 PM Jonathan Chapman via vcf-midatlantic < vcf-midatlantic@lists.vcfed.org> wrote:
Yes, HSTS has been disabled. You can reach the site now while we are getting new certs installed. Just accept the expired cert.
I don't want to be telling folks how to do their jobs (especially since it's volunteer work), but that's a pretty rough suggestion nowadays. Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where changes to their API broke acme-client on OpenBSD. For that situation, simply giving mail an actual deliverable address to go to will let you know.
For more complex situations, like when the deployment of the cert sometimes fails because of (customer) client derps, I set up a CI job to do a HTTPS connection to the page (just a cURL will do it) and bomb if there's any errors or the cert is within X days of expiration.
Thanks, Jonathan
The SSL was obtained shortly after posting that email. I'm using a manual Let's Encrypt so I can do it with one command and there is nothing but hitting enter to complete the renewal. Just needed a little coordination to update the challenge DNS that is all. We got it done and the cert is up there. This is hardly how I would handle something at my day job, but as you surmised, this isn't my day job. As i've said before if anyone notices anything you can email the list (i keep up) or email me directly. I'm happy to listen. Setting up something that monitors this is a worthy exercise, I'll ask chatGPT-4 to setup something for me later this week :) -andy
On Mar 14, 2023, at 8:25 PM, Jonathan Chapman <lists@glitchwrks.com> wrote:
Yes, HSTS has been disabled. You can reach the site now while we are getting new certs installed. Just accept the expired cert.
I don't want to be telling folks how to do their jobs (especially since it's volunteer work), but that's a pretty rough suggestion nowadays. Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where changes to their API broke acme-client on OpenBSD. For that situation, simply giving mail an actual deliverable address to go to will let you know.
For more complex situations, like when the deployment of the cert sometimes fails because of (customer) client derps, I set up a CI job to do a HTTPS connection to the page (just a cURL will do it) and bomb if there's any errors or the cert is within X days of expiration.
Thanks, Jonathan
Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where
One day LetsEncrypt is going to auto-update a backdoor onto a gazillion hosts. - Ethan
No different than Windows Update or a Linux distro's apt update / yum update potentially distributing bad code. On the whole though, easy patching is better for society, and so are free TLS certs. Thanks, Don On 3/15/23 10:42, Ethan O'Toole via vcf-midatlantic wrote:
Looks like you're using LetsEncrypt, which is a good choice, but since the certs are short and the process should be automated and should work, I always monitor when I use LetsEncrypt. I've had two occasions where
One day LetsEncrypt is going to auto-update a backdoor onto a gazillion hosts.
- Ethan
participants (6)
-
Andrew Diller -
Christian Liendo -
Don Barber -
Ethan O'Toole -
Jeffrey Brace -
Jonathan Chapman