[Updated 2018/06/30 15:19:00 UTC. I've received word that "certificate renewed, but hasn't been issued" and that it will be installed as soon as we receive the new cert. Original story follows. --martyb]
We've been up front with the community right from the start... and intend to keep doing so in the future.
Where we are at:
We have encountered an issue with Lets Encrypt (LE), the certificate issuer for the majority of our [sub]domains. Even though we can 'see' these domains from any number of different servers... for some unknown reason, LE fails to see them. So, at the moment, we are unable to get them to generate certs for us.
Separately, the cert for soylentnews.org is handled by Gandhi. As far as I understand it (and I'm no sysadmin so take this with a healthy dose of salt) there are only two members of our staff who have the ability to update that cert. (We obviously don't want to let world+dog have access to that, right? My guess is that at that time, having a couple people seemed sufficiently redundant and secure).
What it means to you:
You may encounter a warning from your browser when trying to access the site that a certificate has expired. I cannot speak for all browsers, but I've generally seen that along with the warning is an option to trust the cert anyway. (Note: along with allowing that exception, I've sen at least one browser default a checkbox to make the exception permanent. It's entirely up to you, but I see no reason to make it a permanent exception at this point.)
We are working on it, and obviously hope to have things straightened out sooner than later! On the other hand, should things go sideways, I want to keep the community informed about what's up, what's happening, and what you can expect.
Checking status:
If you would like another means to check on the status of the certs, Comodo makes it easy with queries such as these:
https://crt.sh/?q=soylentnews.org
https://crt.sh/?q=%%25soylentnews.org
https://crt.sh/?q=sylnt.us
https://crt.sh/?q=%%25sylnt.us
tl;dr:
If the site becomes unavailable because of an expired cert, yeah, we know and we're working on it. Accept a temporary exception in your browser and we'll let you now when things are back to normal.
--martyb
P.S. Our Editor-in-Chief, janrinok, is currently undergoing preparations for a medical procedure... it's hard to say at this point, but it's likely he may be unavailable to help with the site for a couple weeks. Please join me in wishing him well for the procedure and for a speedy recovery!
Related Stories
This is a followup to: SoylentNews Site Certificates Expiring... We ARE Working on It, But... [Updated]
and: Site Services Restored
Certs (Not Just a Breath Mint):
Thanks to the efforts of The Mighty Buzzard and NCommander we now have valid certs, issued by LetsEncrypt installed on all of our servers. Except that the IRC server needs to be bounced to make its cert active on the backup daemon, all should now be in effect. As in our original story, you can check our certificate status with these links:
https://crt.sh/?q=soylentnews.org
https://crt.sh/?q=%%25soylentnews.org
https://crt.sh/?q=sylnt.us
https://crt.sh/?q=%%25sylnt.us
Developers:
The past few days have brought into focus a situation that has been building for several months: We really only have a single person who is working on developing features for the site, The Mighty Buzzard. As with any large and on-going undertaking, this burden is taking its toll. I try to help out as I can, but as I am the primary QA/Test guy who is much better at the user-facing things than what all happens "under the covers", my abilities and assistance are limited. If you have any spare time and would like to lend a hand (and every bit helps), please reply in the comments or contact The Might Buzzard directly on IRC.
Community:
I recall in the early days of this site when things would fall over several times a day. That has largely become a thing of the past... to the point where it is unusual for any issues to appear on the site and the support services we maintain (email, wiki, IRC, etc.) The baseline code on which this site was founded (open-sourced, out-of-date, back-level, and non-functional) was not promising, but the staff managed to bludgeon it into shape and we now have a solid foundation. That it continues to run as smoothly as it has is a testament to our SysOps folk who toil largely in the background and just keep things working... as well as the continued care-and-feeding that TMB so generously provides. To all of you, please accept my heartfelt thanks and appreciation!
Some numbers: we are approaching the 23,000th story posted; have recently passed 700,000 comments submitted; have had over 3,300 journal articles posted; and are on the cusp of having our 120th Poll!
Though all numbers are approximate and unofficial, it appears we surpassed our funding goal for the first half of the year ($3,000) with a net subscription tally of just over $3,250! I'll leave it to our treasurer to collate and post the official numbers. I'll leave the "Funding Goal" side bar as is for a week or so to commemorate this accomplishment. Do note that subscriptions are still being accepted and will count towards the second half of the year's funding needs.
Folding@Home: Not all of you may be aware, but our soylentnews team for Folding@Home is currently at 240th place... in the world! It started with a single story posted to this site. Just over four years ago, we were at 230,319th place! If you have any spare computes you would like to contribute, especially GPU-based, we'd love to have you sign up! Just reply in the comments and I'm sure someone will get back to you.
Whenever I write one of these stories, I always fear I'll have omitted someone or something important. Please accept my humble apologies if I have done so as there is no intent to slight any contributor.
To the community, I offer my thanks for your contributions to the site as well as your patience and understanding during the challenges of the past few days. Contributions are not just financial (though we wouldn't be here without them -- Thank You!), but also submitting stories and comments, and moderating comments, too! The community continues to impress me with your wide-ranging knowledge and expertise; I have learned much from the exchanges in the story comments!
Lastly, please keep janrinok (our Editor-in-Chief) in your thoughts and wishes while he undergoes a medical procedure and attendant recovery period. Best of luck JR!
--martyb
(Score: 3, Insightful) by Anonymous Coward on Saturday June 30 2018, @01:46AM (2 children)
Thank you for the explanation, and for being very upfront about the situation. Very few sites would be so forthcoming, and it is greatly appreciated.
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @12:17AM (1 child)
The site is now failing on Chrome. The cert expired Saturday, June 30, 2018 at 7:59:59 PM Eastern Daylight
Chrome's "Advanced" info (where we would normally click the link to live dangerously) says:
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @01:12AM
Unreachable in firefox too. Same thing, strict ssl doesn't allow exceptions. You can get around it by setting the computer date in the past. Mine now thinks today is the 29th of June.
(Score: 2) by Snow on Saturday June 30 2018, @01:55AM (3 children)
Get better soon!
(Score: 2) by SpockLogic on Saturday June 30 2018, @02:04AM (2 children)
janrinok will be much improved
once he's had his nuts removed
or something like that ....
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 2) by Snotnose on Saturday June 30 2018, @05:56AM (1 child)
His wife's lover will approve
This I dare you to disprove
/ hangs his head in shame
// Get well dude
/// Love this site.
When the dust settled America realized it was saved by a porn star.
(Score: 4, Funny) by ilPapa on Saturday June 30 2018, @04:25PM
In my experience when someone says they are going in for a "medical procedure", it usually means a hemorrhoidectomy. Otherwise, they just say what the procedure is. It could be breast enhancement, but he's already got nice ones.
Hoping for a speedy recovery, either way.
You are still welcome on my lawn.
(Score: 3, Insightful) by aristarchus on Saturday June 30 2018, @02:02AM (9 children)
SoylentNews needs editors like that! Quick recovery.
(Score: 2) by takyon on Saturday June 30 2018, @02:09AM (1 child)
Don't worry, I'll clean up your trash in the meantime.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @12:57AM
Doing what needs to be done - Takyon 2020!
(Score: 0) by Anonymous Coward on Saturday June 30 2018, @02:39AM (1 child)
God's kinda slow. Took millions of years just to evolve humans. Still dragging his heels on the whole apocalypse biz. Lets try Lightspeed. Should be as fast as it gets.
(Score: 1, Funny) by Anonymous Coward on Saturday June 30 2018, @11:17AM
Screw it, go straight to plaid.
(Score: 2) by edIII on Saturday June 30 2018, @03:15AM
Ditto
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by AnonTechie on Saturday June 30 2018, @09:39AM
I concur. Please get well soon and we hope you will be back amongst us in the very near future.
Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
(Score: -1, Troll) by Anonymous Coward on Sunday July 01 2018, @12:22AM (2 children)
Sincere as ever - don't assume your political opponents would ever take a low shot like that against you.
(Score: 2) by aristarchus on Sunday July 01 2018, @10:10AM (1 child)
No, seriously, hope he gets better soon. Can you imagine what this place would be like if some of the lesser eds had free reign? Bad enough that TMB keeps sticking his turkey vulture neck in where it does not belong! So best wishes for janrinok!
(Score: 2) by martyb on Sunday July 01 2018, @02:20PM
Many thanks for your kind wishes for Janrinock's health — much appreciated!
I would like to clarify that there are NO "lesser eds" here. Every editor is free to choose any story from the submission queue to post to the site.
That does not mean that they are free from feedback. Any editor is also free to speak up, and indeed is encouraged to do so, if they have any issues with a story. None of us is perfect and we recognize that.
Sometimes I read a story one way, and another editor points out a different reading that I failed to notice. Any skill I seem to exhibit here is much enhanced by the work of the other editors who review my work. I would like to think it works the other way, too.
Once in a very great while something may come up where different editors cannot come to agreement on something... in those cases there needs to be some tie-breaker. It is in those cases where an Editor-in-Chief decides. I cannot think of a single particular case offhand, and would guess that out of the 22,000+ stories we've posted, it has been necessary in fewer cases than can be counted on one hand.
NB: We all have widely varying schedules as well as different areas of interest and expertise. Each of us keeps an eye on the story queue, and as we are able, process submissions to appear there. We strive to have each story reviewed by another editor before it goes live. This does not always happen. (We are volunteers who have outside obligations and perform this service in our limited free time.)
Occasionally, even with a second pair of eyes, mistakes make it through.
Now, speaking only for myself, as much as I dislike the experience, I *do* appreciate it when the community offers corrections. "How could you post such crap?" does not go over as well as a polite noting of what is in error and a suggestion on what could rectify the mistake. We are people, too.
That said, "You can't please everyone". We recognize there are those in the community who hold diagrammatically opposite views on a subject from the views of others. We try, in toto, to find what we hope works best for the most.
tl;dr All editors contribute as they are able and do their best to build up the site. Arguments are exceedingly rare and misunderstandings are generally cleared up quickly. For the most part, though an observer may see what appears to be a haphazard process, it generally seems to work pretty well. teamwork++
Wit is intellect, dancing.
(Score: 2) by Runaway1956 on Saturday June 30 2018, @02:21AM (3 children)
The problem is "world" or "everybody", not the dog. When is the last time you heard or read about the dog leaking passwords? You may safely give access to your certs to your dog, or mine, or any dog that comes along.
(Score: 1, Funny) by Anonymous Coward on Saturday June 30 2018, @02:29AM
What about this dog [wikia.com]?
(Score: 2, Funny) by Anonymous Coward on Saturday June 30 2018, @11:39AM (1 child)
Duke would spill the beans, errr password: https://www.bushbeans.com/en_US/jay-duke [bushbeans.com].
(Score: 2) by Runaway1956 on Saturday June 30 2018, @02:35PM
I forgot about Duke. Those commercials were on television when my kids were little, so I saw them often.
(Score: 2) by MichaelDavidCrawford on Saturday June 30 2018, @02:30AM
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Gaaark on Saturday June 30 2018, @02:49AM
I'd say get well soon, but doesn't that sound kinda alt-right?
Don't want to get jr or TMB after me...
#free Gaaark!
;)
Recover well, JR!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Insightful) by RS3 on Saturday June 30 2018, @03:39AM (8 children)
Firstly best wishes to janrinok for quick and complete recovery.
Is the need for certificates because https?
If so, I know everyone does https because everyone does https, but does this site need https?
Could you just generate a self-signed certificate? I think most everyone here would accept it.
What am I missing?
Thank you, all SoylentNews sysadmins!
(Score: 1, Informative) by Anonymous Coward on Saturday June 30 2018, @04:37AM
(Score: 3, Insightful) by bzipitidoo on Saturday June 30 2018, @04:41AM (6 children)
Why not have a plain old http option?
(Score: 2, Informative) by Anonymous Coward on Saturday June 30 2018, @05:30AM (5 children)
Better not to have people's logins floating around the internet in plaintext. Good luck janrinok! Hope you have some kind nurses.
(Score: 3, Insightful) by fyngyrz on Saturday June 30 2018, @10:17AM (4 children)
Certainly, but the login and account access are all that needs to be secure. There's no security-based need for the rest of the site's interactions with its users and viewers to be secure; it's an outright waste of computing power and a corresponding environmental insult on both ends.
Unfortunately, the scare tactics being pushed by Google are migrating down through the browser developers into the browsers themselves, and as users become (even more) progressively deluded about what SSL actually offers (transfer encryption with no dependable endpoint identity validation worth a damn), and Google's search continues to push non-SSL sites down in its search listings, it either happens or the visitor count will drop. Personally (for my own sites) I prefer that the visitor count drops, because it means I'm getting considerably smarter visitors that understand how things actually work, as opposed to those believing the agitprop Google is spreading.
(Score: 2) by RS3 on Saturday June 30 2018, @12:35PM
Thank you everyone!
fyngyrz, you and I think scarily alike. I (naively) didn't know about google pushing http sites down. I'd love to know their rationale, especially since it seems that any encryption can be broken if someone's determined enough. And why bother, there seem to be so many other attack vectors in IT.
Anyway, so SN could run the main site http, a login page self-signed SSL, and seed google (pptthhewy) with scripts doing randomly-timed wget from the site, through google, from randomly-generated spoofed IPs.
Now what am I missing?
(Score: 5, Insightful) by The Mighty Buzzard on Saturday June 30 2018, @03:36PM (1 child)
Frankly, I don't want the NSA or anyone else having a record of who posted what from where. They need to come to us with a warrant if they want that info (so we can tell them addresses are hashed and they better hope the person they want used IPv4 because there's no way in hell they can build a rainbow table for the IPv6 address space). If it costs us a very slight extra bit of processing power to make their jobs a little harder, I for one am glad to spend the juice.
My rights don't end where your fear begins.
(Score: 2) by RS3 on Sunday July 01 2018, @01:10AM
Thank you for upholding such high virtues.
(Score: 3, Informative) by Anonymous Coward on Saturday June 30 2018, @10:42PM
SkywalkerEverythingYouSaidIsWrong.gif
Your login is only as secure as the rest of the site. You can have a secure login page, but as soon as you send that login cookie over HTTP your login is no longer secure and the secure login page was for naught.
Either the entire site is secure, or none of the site is; If you have a login over non-secure HTTP you're doing it wrong; Therefore, the entire site must be secure. Just because we've been doing "only the login page is secure" for years doesn't mean we haven't been doing it horribly, horribly wrong all along. There are millions of examples of this throughout history.
...only considered "scare tactics" to those who know absolutely nothing about current computer security issues. I strongly recommend you and the person who modded you insightful educate yourselves on current IT security. You may surprise yourselves on just how little you know.
(Score: 4, Interesting) by Whoever on Saturday June 30 2018, @03:56AM
Have you put in redirection to https in those subdomains recently? That can cause LE to fail, unless you put in an exception for the LE URLs.
(Score: 4, Informative) by zeigerpuppy on Saturday June 30 2018, @09:49AM
LetsEncrypt can now generate wildcard certs which made cert management easier (only one to renew per domain).
However, they have rightfully introduced some more validity tests that involve the domain admin adding two things:
1. A DNS TXT record - available when the domain DNS is queried
2. A random string verifed over http - available when the domain webserver responds over http
One issue is that the mechanisms for the cert update are not packaged yet for most linux distributuons.
Thankfully, procedures and workarounds are well documented and a standalone docker container can be used to make the cert request.
see here for details : https://community.letsencrypt.org/t/getting-wildcard-certificates-with-certbot/56285 [letsencrypt.org]
(Score: 0) by Anonymous Coward on Saturday June 30 2018, @11:48AM (7 children)
Thanks for showing us exactly how HTTPS is currently a scam. Unless someone keeps a constant eye on a site and remembers to constantly update yet another obscure little detail, then the whole thing becomes inaccessible essentially holding the site hostage. Oh, its free? Lol. For now. What make you think it will stay that way?
(On the brighter side, thanks for not requiring the absolute latest TLS, the site works well on my older thing-a-majigs where most other sites won't load at all now.)
(Score: 3, Interesting) by RS3 on Saturday June 30 2018, @01:16PM (5 children)
Yeah, the whole thing reminds me of a house with several different locks on each door, it's annoying and time-consuming at best, you can't get into your own house in an urgency / emergency, and the burglars will just break a window. (forget about cameras / fingerprints / alarms- burglar wears face mask, gloves, runs fast).
Yep, same here. :) For me, due to code / css bugs, this site takes much too long to render on said older thing-a-majigs, so I use Vivaldi, which seems slightly less burdensome than full chrome.
(Score: 3, Interesting) by The Mighty Buzzard on Saturday June 30 2018, @03:39PM (4 children)
Weird. SN renders fast as hell on everything I've ever tried it on. How old are we talking exactly?
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday June 30 2018, @08:51PM
I've noticed long loading times for SN on some webkitgtk-based browsers, but not super recently, seemed to be fixed about 6 months to a year ago. Probably stuff that has older versions (debian based?) would still have that though.
(Score: 0) by Anonymous Coward on Saturday June 30 2018, @09:11PM
I use an iPhone 4s running iOS 5. Everything works except for the spoilers and expand buttons.
(Score: 2) by RS3 on Sunday July 01 2018, @01:08AM (1 child)
Okay, I dunno what's going on but it's very fast now on Old Opera 11.01, and with javascript ON.
I know I had tried it very many times over the past year+. What I noticed was a big delay before received packets network activity- several seconds- maybe 10, then it would render quite well.
One of many nice things with Old Opera is I can accept the cert. Vivaldi now blocks me. I'm sure there's a workaround but who cares. Thank you for once again inspiring me, and for all you do.
(Score: 2) by The Mighty Buzzard on Sunday July 01 2018, @02:36AM
Well, back when we did the comment styles rework, we did a hell of a speed-up in comment rendering as well. That was why the comment code needed a rewrite to begin with.
My rights don't end where your fear begins.
(Score: 4, Informative) by zeigerpuppy on Saturday June 30 2018, @04:46PM
It's quite the opposite really, SSL certs only declare certain information about the process used to create them, so there has to be some form of verification to prevent scams. LetsEncrypt have made this about as easy as it can be, but it's still necessary to prove the cert request comes from the actual server with rights to the site. Or else spoofing a domain is too easy. It's certainly a better situation than the pre-LetsEncrypt days when certification verification companies took (a lot) of money and didn't really do much in the way of checking!
(Score: 2) by mrpg on Saturday June 30 2018, @09:47PM
Good luck and get well soon.
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @12:14AM (2 children)
Wont let you add exceptions anymore...
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @12:26AM
Chromium - Version 67.0.3396.87 (Official Build) Arch Linux (64-bit) will. Firefox 'Quantum' 61.0 will not.
Thanks to the mods for pre-warning, the error message in Firefox is OTT.
(Score: 0) by Anonymous Coward on Sunday July 01 2018, @12:54AM
Got my first "Not secure" warning about a minute ago in Google Chrome Version 68.0.3440.15 (Official Build) dev (64-bit). I was able to proceed anyway.
(Score: 2) by HiThere on Sunday July 01 2018, @05:23AM
I'm probably not the first to report this, but if the site says "https login" then Firefox won't let you add an exception. (This was posted from Chromium, but Konqueror also looked as if it would work.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.