Stories
Slash Boxes
Comments

SoylentNews is people

Meta
posted by martyb on Wednesday September 15, @02:45PM   Printer-friendly [Skip to comment(s)]

Late last night (~10 PM UTC), the security certificates for SoylentNews.org expired. (Out-of-date certs result in nasty warning messages being displayed by your browser.)

Please accept my apologies for any inconvenience the outage caused.

Unfortunately, that was after I (and others on staff who could do anything about it) had gone to bed.

I had personally updated the certs in the past, but the last time was years ago. (TheMightyBuzzard had previously — and subsequently — handled getting and applying updated certs.) It had been so long that I could not find my notes on the process. (Note to self: it helps to look in the correct directory tree!)

Thankfully, audioguy appeared and was able to get things updated.

Please join me in thanking him for getting things straightened out!

P.S. The current certs are due to expire December 14, 2021, Please feel free to remind us as that date approaches!

P.P.S. The technical staff is aware of various automated solutions to renewals but made a conscious decision to do them manually. Remember that people make mistakes but to really foul things up use a computer!


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Interesting) by Runaway1956 on Wednesday September 15, @02:52PM (16 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday September 15, @02:52PM (#1177989) Homepage Journal

    I tried to log in using Firefox and Opera, both current and up-to-date. Both simply refused to do anything at all. You could click the "advanced" buttons, and get an explanation about expired certs, neither offered any options. Do any browsers still give an option to connect to an unsecure site?

    For my part, I had things to do, so I didn't try any other browsers last night.

    Thanks for the update, and thanks for getting back online!!

    --
    Let's go Brandon!
    • (Score: 4, Informative) by FatPhil on Wednesday September 15, @02:56PM (8 children)

      by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday September 15, @02:56PM (#1177991) Homepage
      We have opted for some higher security flag that demands that browsers reject out-of-date certificates, no matter what the user wants. Some versions of Firefox will explain the error/feature:
      "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate."

      Fortunately some legacy browsers do not honour this flag, so it was still possible to access the site. I could happily use w3m, for example.
      --
      I know I'm God, because every time I pray to him, I find I'm talking to myself.
      • (Score: 4, Informative) by JoeMerchant on Wednesday September 15, @03:08PM (2 children)

        by JoeMerchant (3937) on Wednesday September 15, @03:08PM (#1178000)

        Chrome explained the HSTS thing and refused to load the site.

        --
        John Galt is a selfish crybaby [huffpost.com].
        • (Score: 2) by EvilSS on Wednesday September 15, @03:33PM (1 child)

          by EvilSS (1456) Subscriber Badge on Wednesday September 15, @03:33PM (#1178016)
          Weird, I was able to get in using Chrome (Firefox told me to fuck straight off though).
          • (Score: 2) by JoeMerchant on Wednesday September 15, @06:09PM

            by JoeMerchant (3937) on Wednesday September 15, @06:09PM (#1178068)

            I didn't persist on Chrome looking for bypass settings, I just opened whatever was on the screen and none of it let me in.

            Chrome in Ubuntu, relatively up to date.

            --
            John Galt is a selfish crybaby [huffpost.com].
      • (Score: 2, Informative) by Anonymous Coward on Wednesday September 15, @03:14PM

        by Anonymous Coward on Wednesday September 15, @03:14PM (#1178006)

        One way to bypass this in a modern browser, is to have the browser forget it has seen the HSTH header. If all site data is cleaned, the next time the browser starts it will just complain about a bad certificate and the advanced option will allow an override. This of course is a terrible idea and it would be best just to wait, but it does work.

      • (Score: 0) by Anonymous Coward on Wednesday September 15, @03:18PM

        by Anonymous Coward on Wednesday September 15, @03:18PM (#1178009)

        You could do it with Firefox by toggling some ...stricttransport... setting in about:config to false and then editing a site security text file in your firefox profile to remove the soylentnews.org line.

      • (Score: 1, Interesting) by Anonymous Coward on Wednesday September 15, @03:52PM (2 children)

        by Anonymous Coward on Wednesday September 15, @03:52PM (#1178019)

        We have opted for some higher security flag that demands that browsers reject out-of-date certificates, no matter what the user wants. Some versions of Firefox will explain the error/feature:
        "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate."

        I have opted for my choices to take priority and edited my browser to give me the option to continue. Open source FTW.

        • (Score: 2) by RS3 on Wednesday September 15, @11:43PM (1 child)

          by RS3 (6367) on Wednesday September 15, @11:43PM (#1178146)

          Which browser?

          • (Score: 1, Interesting) by Anonymous Coward on Thursday September 16, @01:44AM

            by Anonymous Coward on Thursday September 16, @01:44AM (#1178172)

            I only do FF browsers, in this case New Moon.

            --- a/docshell/base/nsDocShell.cpp
            +++ b/docshell/base/nsDocShell.cpp
            @@ -5067,7 +5067,11 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
                              // never want to show the "Add Exception" button for these sites.
                              // In the future we should differentiate between an HSTS host and a
                              // pinned host and display a more informative message to the user.
            - if (isStsHost || isPinnedHost) {
            + // it is my browser and I do want to be able to make
            + // an exception to cert issues, as long as I am still talking
            + // encrypted.
            + //if (isStsHost || isPinnedHost) {
            + if (isPinnedHost) {
                                  cssClass.AssignLiteral("badStsCert");
                              }

    • (Score: 0) by Anonymous Coward on Wednesday September 15, @03:19PM

      by Anonymous Coward on Wednesday September 15, @03:19PM (#1178012)

      Tried this morning with the new Microsoft Edge and it worked LOL

    • (Score: 3, Touché) by Ingar on Wednesday September 15, @04:44PM

      by Ingar (801) on Wednesday September 15, @04:44PM (#1178034) Homepage

      Worked fine in lynx, I got a warning but could just ignore it.

    • (Score: 0) by Anonymous Coward on Wednesday September 15, @04:48PM

      by Anonymous Coward on Wednesday September 15, @04:48PM (#1178036)

      In Firefox if you clicked the 'advanced' button there should have been two new buttons below the technical explanation. One of those lets you temporarily accept the expired cert.

      For the record, complaining loudly that a cert is wrong, invalid, or expired, is a good thing.

    • (Score: 2) by srobert on Wednesday September 15, @05:31PM

      by srobert (4803) on Wednesday September 15, @05:31PM (#1178057)

      w3m asked to verify that it's OK, and then connected on the affirmative. Maybe not a good idea, but I was curious. KUDOS Big time to martyb and audioguy. Thanks. Firefox and chromium were locked out.

    • (Score: 0) by Anonymous Coward on Thursday September 16, @12:42AM

      by Anonymous Coward on Thursday September 16, @12:42AM (#1178159)

      Chromium refused to connect to the site, so I had to download Brave and tell it to ignore the warning and connect anyway.

    • (Score: 0) by Anonymous Coward on Thursday September 16, @01:54AM

      by Anonymous Coward on Thursday September 16, @01:54AM (#1178174)

      I'm not quite sure what the rationale is but it seems like they behave differently if you've visited a site recently but before the cert expired versus never at all.

      The workaround I've had to use more than once recently is to just open a private browsing window then hit the site back up -- then the Allow Exception button will be back (and have the delightful default of permanently-store-this-exception, which I always have to uncheck).

    • (Score: 2) by KritonK on Thursday September 16, @05:35PM

      by KritonK (465) on Thursday September 16, @05:35PM (#1178327)

      I was able to connect with vivaldi, using the "--ignore-certificate-errors" command line option. I gather that this is a chromium option, so it should probably work with other chromium-based browsers as well.

  • (Score: 0) by Anonymous Coward on Wednesday September 15, @02:53PM (1 child)

    by Anonymous Coward on Wednesday September 15, @02:53PM (#1177990)

    2021-12-14. will be here before christmas. please remember to give the site its second jab by then.

    • (Score: 2) by DannyB on Wednesday September 15, @04:15PM

      by DannyB (5839) Subscriber Badge on Wednesday September 15, @04:15PM (#1178023) Journal

      That will spoil any plans to expect a new cert in a Christmas stocking instead of a lump of clean coal.

      --
      Employers should not mandate wearing clothing. It should be a personal choice. It only affects me. Junk can't breathe!
  • (Score: 5, Interesting) by bzipitidoo on Wednesday September 15, @03:02PM (21 children)

    by bzipitidoo (4388) Subscriber Badge on Wednesday September 15, @03:02PM (#1177994) Journal

    This illustrates a complaint I've made before about certs: at the magic expiration moment, they go from working perfectly, to not working at all. They're like Cinderella's carriage, instantly turning back into a pumpkin at the stroke of midnight. Or like the first traffic lights, which had only a red and a green, no yellow light. And why? The system ought to include a warning period.

    • (Score: 1, Touché) by Anonymous Coward on Wednesday September 15, @03:15PM

      by Anonymous Coward on Wednesday September 15, @03:15PM (#1178007)

      Sounds like you are asking for a script that runs periodically that checks the site cert expiration date and creates a report/alarm if it will expire soon.

    • (Score: 3, Insightful) by DannyB on Wednesday September 15, @04:21PM (9 children)

      by DannyB (5839) Subscriber Badge on Wednesday September 15, @04:21PM (#1178024) Journal

      It sounds like you're asking for a feature in the certificate that specifies an expiration warning number of days (or an absolute date). Any browser that recognizes and honors this feature would warn that the certificate is due to expire soon.

      Maybe better would be if the certificate also included an expiration notification URL. Any browser recognizing and honoring this feature would poke that URL to alert the site owners that their certificate is about to expire. Sites with soon to expire certificates would experience . . . uh, um . . . the "green site" effect.

      Next up, someone could get themselves a lot of shiny new certificates that have the expiration warning feature, but will poke a URL of some DDOS target site when the certificate is due to expire. Those pin pricks would come from all different sorts of browsers from many locations.

      --
      Employers should not mandate wearing clothing. It should be a personal choice. It only affects me. Junk can't breathe!
      • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @04:51PM (5 children)

        by Anonymous Coward on Wednesday September 15, @04:51PM (#1178039)

        No need to add a feature to the cert. Just have the browser check current date against expiration and warm 30 days out.

        • (Score: 0) by Anonymous Coward on Wednesday September 15, @05:01PM (3 children)

          by Anonymous Coward on Wednesday September 15, @05:01PM (#1178043)

          That warns the visitor, not the administrator.

          • (Score: 2) by DannyB on Wednesday September 15, @05:25PM (1 child)

            by DannyB (5839) Subscriber Badge on Wednesday September 15, @05:25PM (#1178054) Journal

            But the visitors can make fun of the administrator.

            Sort of like when the microsoft.com DNS name expired. Some kind soul on the green site renewed it. Microsoft paid him some token amount in the foam of a check, which he had framed.

            --
            Employers should not mandate wearing clothing. It should be a personal choice. It only affects me. Junk can't breathe!
            • (Score: 0) by Anonymous Coward on Wednesday September 15, @11:01PM

              by Anonymous Coward on Wednesday September 15, @11:01PM (#1178141)

              Just think, with modern banking apps, he could send a picture to his bank to cash it and still frame the check!

              Hmm, any pictures of his framed check on the net?

          • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @05:36PM

            by Anonymous Coward on Wednesday September 15, @05:36PM (#1178060)

            Imagine your average computer illiterate visitor visiting Bank of America and receiving a popup that says the cert is about to expire in 30 days. What the heck is the visitor supposed to care?

        • (Score: 5, Touché) by DannyB on Wednesday September 15, @05:25PM

          by DannyB (5839) Subscriber Badge on Wednesday September 15, @05:25PM (#1178055) Journal

          Just have the browser check current date against expiration and warm 30 days out.

          That is a needlessly simple solution to a problem which can have a much more complex solution.

          --
          Employers should not mandate wearing clothing. It should be a personal choice. It only affects me. Junk can't breathe!
      • (Score: 0) by Anonymous Coward on Wednesday September 15, @07:31PM (2 children)

        by Anonymous Coward on Wednesday September 15, @07:31PM (#1178079)

        Maybe better would be if the certificate also included an expiration notification URL.

        This site uses Let's Encrypt. They send at least 2 e-mails to the contact prior to expiration giving plenty of time to renew manually, if required.

        • (Score: 4, Touché) by c0lo on Thursday September 16, @12:57AM (1 child)

          by c0lo (156) Subscriber Badge on Thursday September 16, @12:57AM (#1178162) Journal

          The eds need to write an email-to-IRC forwarder. In a deprecated PERL version.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0
          • (Score: 0) by Anonymous Coward on Thursday September 16, @02:09AM

            by Anonymous Coward on Thursday September 16, @02:09AM (#1178175)

            There are a couple of those and I’m pretty sure at least one is in Perl.

    • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @04:51PM (3 children)

      by Anonymous Coward on Wednesday September 15, @04:51PM (#1178040)

      Warning the users that the certificate is about to expire is much less helpful than emailing the site administrator who can actually fix the problem.

      • (Score: 0) by Anonymous Coward on Wednesday September 15, @07:46PM (2 children)

        by Anonymous Coward on Wednesday September 15, @07:46PM (#1178083)

        Well, when the site administrator who was taking care of the certificates is driven away from the site, sending an email to said admin just might not result in it getting done.

        • (Score: 2) by MostCynical on Thursday September 16, @08:26AM (1 child)

          by MostCynical (2589) on Thursday September 16, @08:26AM (#1178233) Journal

          this is a problem with domain registration and app stores as well - one person (named individual) is the registration contact.
          They may be a minor grade employee at a large company or government department.

          The contact is their email, their phone number, and their name

          They leave (quit/get fired/die).. the effort required to get the name changed is enormous- if it can be done at all.

          There is almost never a 'second contact'.. one person is solely responsible for the 'ownership' of the whole company's or government department's entire web presence..

          --
          “I've learned from experience that asking politely never works unless you have the upper hand.” Daisuke Aramaki, GIS:SAC
          • (Score: 0) by Anonymous Coward on Friday September 17, @03:57AM

            by Anonymous Coward on Friday September 17, @03:57AM (#1178496)

            The tradition of using "admin [at] domain [dot] com" came about for a reason, but it became a spam magnet so we can't have nice things. :(

    • (Score: 5, Interesting) by digitalaudiorock on Wednesday September 15, @05:21PM (1 child)

      by digitalaudiorock (688) on Wednesday September 15, @05:21PM (#1178051)

      This illustrates a complaint I've made before about certs: at the magic expiration moment, they go from working perfectly, to not working at all.

      Combine that with the fact that the "industry" has decided that we can't buy certs with anything longer than a one year lifetime...because this bullshit apparently wasn't quite annoying enough.

      • (Score: 1, Interesting) by Anonymous Coward on Friday September 17, @03:53AM

        by Anonymous Coward on Friday September 17, @03:53AM (#1178495)

        Limiting certs to a year was because too many old certs were compromised and their contact information was long out of date. Too much set-and-forget-and-retire. A shorter term doesn't eliminate it completely but it limits the impact. Making it yearly also means that the admins can mark a date on their calendar to help them remember.

    • (Score: 0) by Anonymous Coward on Wednesday September 15, @05:58PM

      by Anonymous Coward on Wednesday September 15, @05:58PM (#1178065)

      > The system ought to include a warning period.

      As long as we can list your cell phone number for my mother to call when her computer issues a warning. You can explain the expiring cert issue to her and that it's OK now, but check in a few days (she will call you).

    • (Score: 1) by fustakrakich on Wednesday September 15, @06:44PM

      by fustakrakich (6150) on Wednesday September 15, @06:44PM (#1178070) Journal

      Exactly, and all browsers should have the the option to bypass them, and we can leave it at that. I guess Chrome is good for something...

      HTTPS is the devil's work. All certs can be rendered "expired" by the CA, and then how will you get in?

      --
      Ok, we paid the ransom. Do I get my dog back? REDЯUM
    • (Score: 2, Interesting) by vali.magni on Thursday September 16, @07:14AM (1 child)

      by vali.magni (5678) on Thursday September 16, @07:14AM (#1178216)

      Good idea, and I've thought about this earlier. What can work here are X.509 v3 extensions that (a) include information such as escalation paths, degradation strategies upon certificate expiry, etc, and (b) ecosystems that will honour this information and do what needs to be done.

      Today, standard X.509 v3 extensions can contain information about the certificate issuer, public key IDs, usage constraints, policies and policy mappings and more. In the real world, the implementer or ecosystem decides the extensions they will support.

      For example, the Golang runtime generally demands the use of the SAN extension but other runtime environments will happily take the CN field and run with it with or without the SAN extension.

      One might consider using the X.509 "Subject Information Access" private extension defined in RFC5280 but it's a non-critical field, and I am yet to come across software ecosystems that work consistently well with the SIA extension.

      An alternate approach is to ignore these altogether and just go with custom extensions that the browser makers agree upon, but this is a hacky approach that is bound to cause problems in the long term. Others have recommended that browsers themselves check certificate expiry dates and warn users a few weeks before they expire, but this too is ad-hoc behaviour.

      There appears to be no real solution today unless I'm mistaken.

      • (Score: 4, Interesting) by bzipitidoo on Thursday September 16, @02:28PM

        by bzipitidoo (4388) Subscriber Badge on Thursday September 16, @02:28PM (#1178280) Journal

        While it will help to use X.509 extensions to make degradation more graceful, by adding something analogous to a yellow traffic light (and good on them for providing means to extend the standard), I think the entire idea of date based expiration needs a rethink.

        One rather bad bug in Firefox that was fixed a few years back was its assumption that the system time was reliable. A failure point aging PCs are notorious for is the CMOS battery finally drained of all power some 5 years after purchase, causing it to be unable to remember the current date, instead setting it to a default starting date which may be Jan 1, 1980, or, nowadays, Jan 1, 2005 or so. The OS and Firefox ran with that date, and next thing you had was Firefox throwing up inappropriately scary messages and refusing to load any https at all, because all the certs were too far in the future to be valid. Firefox now uses a build date as a baseline.

        Date based expiration is just plain crude. Much better to base expiration on events. Perhaps the timed expiration idea comes from a notion I heard a long time ago about passwords. The thinking was that a password could be brute forced in perhaps a year's time, and by forcing a password change every 30 days, the brute force work would have to be started over. Today, there's no excuse for using keys weak enough to be brute forced so fast. Throw another 64 bits in, and you've made a weak key into such a strong key that brute force is utterly impractical. So that reason for date based expiry is moot.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @03:14PM (8 children)

    by Anonymous Coward on Wednesday September 15, @03:14PM (#1178004)

    Why don't you have renewals automated. You could use certbot or some lighter weight alternatives that I've forgotten the names of.

    • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @03:20PM (4 children)

      by Anonymous Coward on Wednesday September 15, @03:20PM (#1178013)

      The current site operators don't have this kind of technical knowledge.

      • (Score: -1, Flamebait) by Anonymous Coward on Wednesday September 15, @05:49PM (3 children)

        by Anonymous Coward on Wednesday September 15, @05:49PM (#1178062)

        That's the problem with diversity hires.

        • (Score: -1, Troll) by Anonymous Coward on Wednesday September 15, @09:50PM (2 children)

          by Anonymous Coward on Wednesday September 15, @09:50PM (#1178121)

          There's just not enough retarded black lesbians to go around.

          • (Score: 1) by NPC-131072 on Wednesday September 15, @11:55PM (1 child)

            by NPC-131072 (7144) on Wednesday September 15, @11:55PM (#1178148) Journal

            Go around where?

            • (Score: 0) by Anonymous Coward on Thursday September 16, @12:59AM

              by Anonymous Coward on Thursday September 16, @12:59AM (#1178163)

              Go around from where they came around.

    • (Score: 2) by Opportunist on Wednesday September 15, @07:20PM (2 children)

      by Opportunist (5545) on Wednesday September 15, @07:20PM (#1178075)

      Heh. That's easier said than done in some circumstances.

      Trust me, I'm (probably) in the same boat as these guys here. If you have to deal with incompatible tech where one hand (the cert renewer) doesn't want to shake the other one (the cert offloader)...

      • (Score: 1, Interesting) by Anonymous Coward on Wednesday September 15, @08:14PM (1 child)

        by Anonymous Coward on Wednesday September 15, @08:14PM (#1178091)

        Running web based validation is problematic when e.g., running multiple web front-ends without shared storage behind them or getting certs for non-webby stuff. But, using DNS validation works around any issues I've seen.

        Just setup a subdomain e.g., acme.mydomain.dom, and setup certbot to do all your dyndns stuff for certbot there (no scary dyndns stuff in the root of your domain). A trivial hook script to distribute signed certs, and you are done.

        Genuinely curious if you have a use case that can't be worked around by using dns validation. Ditto, curious why this can't be an option for soylent?

        Certbot works if you host your own dns or several hosted dns providers are supported too (you can delegate just the dyndns certbot subdomain to one of these providers, if you want to keep your main domain on your existing provider). And, there are several other options for acme dns domain validation besides certbot, if you prefer.

        • (Score: 1, Interesting) by Anonymous Coward on Thursday September 16, @02:26AM

          by Anonymous Coward on Thursday September 16, @02:26AM (#1178180)

          They can already automate the issuance of certs, I even told them the proper method last time. They just either don’t have an admin with enough time to do so or enough know-how to do so without step-by-step instructions for setting it up. Can’t really blame them as they probably have enough other issues that actually are or at least appear to be better uses of time.

  • (Score: 5, Informative) by Anonymous Coward on Wednesday September 15, @03:16PM (3 children)

    by Anonymous Coward on Wednesday September 15, @03:16PM (#1178008)

    Since you are using Let's Encrypt, you may want to look into running EFF's Certbot. Once set up, it should handle renewals automatically so you don't have to deal with this anymore. It works like a charm for me on my Apache server but it supports a wide variety of hosting options.

    https://certbot.eff.org [eff.org]

    • (Score: 5, Informative) by Thexalon on Wednesday September 15, @03:58PM (1 child)

      by Thexalon (636) on Wednesday September 15, @03:58PM (#1178020)

      And if you don't want it completely automated for some reason, you can also set it up to send you a reminder email instead. Very handy.

      --
      The inverse of "I told you so" is "Nobody could have predicted"
      • (Score: 2) by coolgopher on Wednesday September 15, @10:34PM

        by coolgopher (1157) Subscriber Badge on Wednesday September 15, @10:34PM (#1178137)

        I concur. These days https certs should be set to auto renew. Any CA worth their salt will provide this feature. Personally I use certbot, and at $work it’s auto-renew within the AWS eco system.

        Letsencrypt provides easy to follow how-tos on setting it up, and then it’s just a cron job away from not having to worry unless it emails you.

    • (Score: 4, Informative) by bart9h on Wednesday September 15, @04:38PM

      by bart9h (767) on Wednesday September 15, @04:38PM (#1178031)

      I haven't heard of this certbot, seems nice.

      But my server runs OpenBSD, and as usual everything is easy peasy. I just instructed cron to run acme-client (ACME = Automate Certificate Management Environment) once a month, and I'm done.

  • (Score: 4, Interesting) by owl on Wednesday September 15, @04:08PM

    by owl (15206) on Wednesday September 15, @04:08PM (#1178022)

    You need to setup something like https://dehydrated.io/ [dehydrated.io] and have it run via cron periodically, and let it auto-renew the certs before they expire.

    Then you don't have the problem of "forgetting" to do so before the expiration date.

  • (Score: 1, Touché) by Anonymous Coward on Wednesday September 15, @05:44PM (1 child)

    by Anonymous Coward on Wednesday September 15, @05:44PM (#1178061)

    Soylent News is people, and people make mistakes.

    • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @06:00PM

      by Anonymous Coward on Wednesday September 15, @06:00PM (#1178066)

      And we eat them alive.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 15, @09:29PM

    by Anonymous Coward on Wednesday September 15, @09:29PM (#1178113)

    He temped fate with his “Uptime” journal.

  • (Score: 2) by crb3 on Thursday September 16, @12:16AM (2 children)

    by crb3 (5919) on Thursday September 16, @12:16AM (#1178153)

    > P.S. The current certs are due to expire December 14, 2021, Please feel free to remind us as that date approaches!

    Crontab yourself a popup reminder on your main console for that. I use Xdialog.

    • (Score: 3, Touché) by c0lo on Thursday September 16, @01:01AM

      by c0lo (156) Subscriber Badge on Thursday September 16, @01:01AM (#1178164) Journal

      And then just make sure your computer is switched off during the holiday season.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 0) by Anonymous Coward on Thursday September 16, @02:14AM

      by Anonymous Coward on Thursday September 16, @02:14AM (#1178176)

      If you ignore the emails Let’s Encrypt sends you and the face that it is fairly easy to automate renewals already, wouldn’t at be a better choice for a single shot command like this to remind yourself?

  • (Score: 2) by darkfeline on Thursday September 16, @05:42AM

    by darkfeline (1030) on Thursday September 16, @05:42AM (#1178199) Homepage

    There are out of the box ACME reverse proxies now. You can stick them in front of your HTTP server and it Just Works.

    Recently I added TLS to the RSS reader server I set up by simply starting a Caddy container. Having to manage and/or let a cert expire is so 2018.

    https://caddyserver.com/ [caddyserver.com]

    --
    Join the SDF Public Access UNIX System today!
  • (Score: 0) by Anonymous Coward on Thursday September 16, @06:03AM (2 children)

    by Anonymous Coward on Thursday September 16, @06:03AM (#1178204)

    Automatic renewal. Problem solved

    • (Score: 0) by Anonymous Coward on Thursday September 16, @12:55PM (1 child)

      by Anonymous Coward on Thursday September 16, @12:55PM (#1178252)

      are you volunteering to implement it?

      • (Score: 0) by Anonymous Coward on Thursday September 16, @09:35PM

        by Anonymous Coward on Thursday September 16, @09:35PM (#1178426)

        I'll buy them a copy of TLS Mastery.

  • (Score: 2) by datapharmer on Thursday September 16, @02:31PM

    by datapharmer (2702) Subscriber Badge on Thursday September 16, @02:31PM (#1178281)

    While I disagree with the decision not to have automatic certificate renewal, you are right - it could fail. In either case you should have monitoring in place. Many solutions are available but statuscake.com offers certificate monitoring for 1 domain for free and I've been very happy with them in general (I don't get anything out of this endorsement, nor do they since I only use their free service, but feel free to use another service as long as you do something to address the root cause!)

(1)