Late last night (~10 PM UTC), the security certificates for SoylentNews.org expired. (Out-of-date certs result in nasty warning messages being displayed by your browser.)
Please accept my apologies for any inconvenience the outage caused.
Unfortunately, that was after I (and others on staff who could do anything about it) had gone to bed.
I had personally updated the certs in the past, but the last time was years ago. (TheMightyBuzzard had previously — and subsequently — handled getting and applying updated certs.) It had been so long that I could not find my notes on the process. (Note to self: it helps to look in the correct directory tree!)
Thankfully, audioguy appeared and was able to get things updated.
Please join me in thanking him for getting things straightened out!
P.S. The current certs are due to expire December 14, 2021, Please feel free to remind us as that date approaches!
P.P.S. The technical staff is aware of various automated solutions to renewals but made a conscious decision to do them manually. Remember that people make mistakes but to really foul things up use a computer!
(Score: 4, Interesting) by Runaway1956 on Wednesday September 15 2021, @02:52PM (16 children)
I tried to log in using Firefox and Opera, both current and up-to-date. Both simply refused to do anything at all. You could click the "advanced" buttons, and get an explanation about expired certs, neither offered any options. Do any browsers still give an option to connect to an unsecure site?
For my part, I had things to do, so I didn't try any other browsers last night.
Thanks for the update, and thanks for getting back online!!
(Score: 4, Informative) by FatPhil on Wednesday September 15 2021, @02:56PM (8 children)
"This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate."
Fortunately some legacy browsers do not honour this flag, so it was still possible to access the site. I could happily use w3m, for example.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by JoeMerchant on Wednesday September 15 2021, @03:08PM (2 children)
Chrome explained the HSTS thing and refused to load the site.
🌻🌻 [google.com]
(Score: 2) by EvilSS on Wednesday September 15 2021, @03:33PM (1 child)
(Score: 2) by JoeMerchant on Wednesday September 15 2021, @06:09PM
I didn't persist on Chrome looking for bypass settings, I just opened whatever was on the screen and none of it let me in.
Chrome in Ubuntu, relatively up to date.
🌻🌻 [google.com]
(Score: 2, Informative) by Anonymous Coward on Wednesday September 15 2021, @03:14PM
One way to bypass this in a modern browser, is to have the browser forget it has seen the HSTH header. If all site data is cleaned, the next time the browser starts it will just complain about a bad certificate and the advanced option will allow an override. This of course is a terrible idea and it would be best just to wait, but it does work.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @03:18PM
You could do it with Firefox by toggling some ...stricttransport... setting in about:config to false and then editing a site security text file in your firefox profile to remove the soylentnews.org line.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 15 2021, @03:52PM (2 children)
I have opted for my choices to take priority and edited my browser to give me the option to continue. Open source FTW.
(Score: 2) by RS3 on Wednesday September 15 2021, @11:43PM (1 child)
Which browser?
(Score: 1, Interesting) by Anonymous Coward on Thursday September 16 2021, @01:44AM
I only do FF browsers, in this case New Moon.
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -5067,7 +5067,11 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI,
// never want to show the "Add Exception" button for these sites.
// In the future we should differentiate between an HSTS host and a
// pinned host and display a more informative message to the user.
- if (isStsHost || isPinnedHost) {
+ // it is my browser and I do want to be able to make
+ // an exception to cert issues, as long as I am still talking
+ // encrypted.
+ //if (isStsHost || isPinnedHost) {
+ if (isPinnedHost) {
cssClass.AssignLiteral("badStsCert");
}
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @03:19PM
Tried this morning with the new Microsoft Edge and it worked LOL
(Score: 3, Touché) by Ingar on Wednesday September 15 2021, @04:44PM
Worked fine in lynx, I got a warning but could just ignore it.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @04:48PM
In Firefox if you clicked the 'advanced' button there should have been two new buttons below the technical explanation. One of those lets you temporarily accept the expired cert.
For the record, complaining loudly that a cert is wrong, invalid, or expired, is a good thing.
(Score: 2) by srobert on Wednesday September 15 2021, @05:31PM
w3m asked to verify that it's OK, and then connected on the affirmative. Maybe not a good idea, but I was curious. KUDOS Big time to martyb and audioguy. Thanks. Firefox and chromium were locked out.
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @12:42AM
Chromium refused to connect to the site, so I had to download Brave and tell it to ignore the warning and connect anyway.
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @01:54AM
I'm not quite sure what the rationale is but it seems like they behave differently if you've visited a site recently but before the cert expired versus never at all.
The workaround I've had to use more than once recently is to just open a private browsing window then hit the site back up -- then the Allow Exception button will be back (and have the delightful default of permanently-store-this-exception, which I always have to uncheck).
(Score: 2) by KritonK on Thursday September 16 2021, @05:35PM
I was able to connect with vivaldi, using the "--ignore-certificate-errors" command line option. I gather that this is a chromium option, so it should probably work with other chromium-based browsers as well.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @02:53PM (1 child)
2021-12-14. will be here before christmas. please remember to give the site its second jab by then.
(Score: 2) by DannyB on Wednesday September 15 2021, @04:15PM
That will spoil any plans to expect a new cert in a Christmas stocking instead of a lump of clean coal.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 5, Interesting) by bzipitidoo on Wednesday September 15 2021, @03:02PM (21 children)
This illustrates a complaint I've made before about certs: at the magic expiration moment, they go from working perfectly, to not working at all. They're like Cinderella's carriage, instantly turning back into a pumpkin at the stroke of midnight. Or like the first traffic lights, which had only a red and a green, no yellow light. And why? The system ought to include a warning period.
(Score: 1, Touché) by Anonymous Coward on Wednesday September 15 2021, @03:15PM
Sounds like you are asking for a script that runs periodically that checks the site cert expiration date and creates a report/alarm if it will expire soon.
(Score: 3, Insightful) by DannyB on Wednesday September 15 2021, @04:21PM (9 children)
It sounds like you're asking for a feature in the certificate that specifies an expiration warning number of days (or an absolute date). Any browser that recognizes and honors this feature would warn that the certificate is due to expire soon.
Maybe better would be if the certificate also included an expiration notification URL. Any browser recognizing and honoring this feature would poke that URL to alert the site owners that their certificate is about to expire. Sites with soon to expire certificates would experience . . . uh, um . . . the "green site" effect.
Next up, someone could get themselves a lot of shiny new certificates that have the expiration warning feature, but will poke a URL of some DDOS target site when the certificate is due to expire. Those pin pricks would come from all different sorts of browsers from many locations.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @04:51PM (5 children)
No need to add a feature to the cert. Just have the browser check current date against expiration and warm 30 days out.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @05:01PM (3 children)
That warns the visitor, not the administrator.
(Score: 2) by DannyB on Wednesday September 15 2021, @05:25PM (1 child)
But the visitors can make fun of the administrator.
Sort of like when the microsoft.com DNS name expired. Some kind soul on the green site renewed it. Microsoft paid him some token amount in the foam of a check, which he had framed.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @11:01PM
Just think, with modern banking apps, he could send a picture to his bank to cash it and still frame the check!
Hmm, any pictures of his framed check on the net?
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @05:36PM
Imagine your average computer illiterate visitor visiting Bank of America and receiving a popup that says the cert is about to expire in 30 days. What the heck is the visitor supposed to care?
(Score: 5, Touché) by DannyB on Wednesday September 15 2021, @05:25PM
That is a needlessly simple solution to a problem which can have a much more complex solution.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @07:31PM (2 children)
This site uses Let's Encrypt. They send at least 2 e-mails to the contact prior to expiration giving plenty of time to renew manually, if required.
(Score: 4, Touché) by c0lo on Thursday September 16 2021, @12:57AM (1 child)
The eds need to write an email-to-IRC forwarder. In a deprecated PERL version.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @02:09AM
There are a couple of those and I’m pretty sure at least one is in Perl.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @04:51PM (3 children)
Warning the users that the certificate is about to expire is much less helpful than emailing the site administrator who can actually fix the problem.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @07:46PM (2 children)
Well, when the site administrator who was taking care of the certificates is driven away from the site, sending an email to said admin just might not result in it getting done.
(Score: 2) by MostCynical on Thursday September 16 2021, @08:26AM (1 child)
this is a problem with domain registration and app stores as well - one person (named individual) is the registration contact.
They may be a minor grade employee at a large company or government department.
The contact is their email, their phone number, and their name
They leave (quit/get fired/die).. the effort required to get the name changed is enormous- if it can be done at all.
There is almost never a 'second contact'.. one person is solely responsible for the 'ownership' of the whole company's or government department's entire web presence..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Friday September 17 2021, @03:57AM
The tradition of using "admin [at] domain [dot] com" came about for a reason, but it became a spam magnet so we can't have nice things. :(
(Score: 5, Interesting) by digitalaudiorock on Wednesday September 15 2021, @05:21PM (1 child)
Combine that with the fact that the "industry" has decided that we can't buy certs with anything longer than a one year lifetime...because this bullshit apparently wasn't quite annoying enough.
(Score: 1, Interesting) by Anonymous Coward on Friday September 17 2021, @03:53AM
Limiting certs to a year was because too many old certs were compromised and their contact information was long out of date. Too much set-and-forget-and-retire. A shorter term doesn't eliminate it completely but it limits the impact. Making it yearly also means that the admins can mark a date on their calendar to help them remember.
(Score: 0) by Anonymous Coward on Wednesday September 15 2021, @05:58PM
> The system ought to include a warning period.
As long as we can list your cell phone number for my mother to call when her computer issues a warning. You can explain the expiring cert issue to her and that it's OK now, but check in a few days (she will call you).
(Score: 1) by fustakrakich on Wednesday September 15 2021, @06:44PM
Exactly, and all browsers should have the the option to bypass them, and we can leave it at that. I guess Chrome is good for something...
HTTPS is the devil's work. All certs can be rendered "expired" by the CA, and then how will you get in?
La politica e i criminali sono la stessa cosa..
(Score: 2, Interesting) by vali.magni on Thursday September 16 2021, @07:14AM (1 child)
Good idea, and I've thought about this earlier. What can work here are X.509 v3 extensions that (a) include information such as escalation paths, degradation strategies upon certificate expiry, etc, and (b) ecosystems that will honour this information and do what needs to be done.
Today, standard X.509 v3 extensions can contain information about the certificate issuer, public key IDs, usage constraints, policies and policy mappings and more. In the real world, the implementer or ecosystem decides the extensions they will support.
For example, the Golang runtime generally demands the use of the SAN extension but other runtime environments will happily take the CN field and run with it with or without the SAN extension.
One might consider using the X.509 "Subject Information Access" private extension defined in RFC5280 but it's a non-critical field, and I am yet to come across software ecosystems that work consistently well with the SIA extension.
An alternate approach is to ignore these altogether and just go with custom extensions that the browser makers agree upon, but this is a hacky approach that is bound to cause problems in the long term. Others have recommended that browsers themselves check certificate expiry dates and warn users a few weeks before they expire, but this too is ad-hoc behaviour.
There appears to be no real solution today unless I'm mistaken.
(Score: 4, Interesting) by bzipitidoo on Thursday September 16 2021, @02:28PM
While it will help to use X.509 extensions to make degradation more graceful, by adding something analogous to a yellow traffic light (and good on them for providing means to extend the standard), I think the entire idea of date based expiration needs a rethink.
One rather bad bug in Firefox that was fixed a few years back was its assumption that the system time was reliable. A failure point aging PCs are notorious for is the CMOS battery finally drained of all power some 5 years after purchase, causing it to be unable to remember the current date, instead setting it to a default starting date which may be Jan 1, 1980, or, nowadays, Jan 1, 2005 or so. The OS and Firefox ran with that date, and next thing you had was Firefox throwing up inappropriately scary messages and refusing to load any https at all, because all the certs were too far in the future to be valid. Firefox now uses a build date as a baseline.
Date based expiration is just plain crude. Much better to base expiration on events. Perhaps the timed expiration idea comes from a notion I heard a long time ago about passwords. The thinking was that a password could be brute forced in perhaps a year's time, and by forcing a password change every 30 days, the brute force work would have to be started over. Today, there's no excuse for using keys weak enough to be brute forced so fast. Throw another 64 bits in, and you've made a weak key into such a strong key that brute force is utterly impractical. So that reason for date based expiry is moot.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @03:14PM (8 children)
Why don't you have renewals automated. You could use certbot or some lighter weight alternatives that I've forgotten the names of.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @03:20PM (4 children)
The current site operators don't have this kind of technical knowledge.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday September 15 2021, @05:49PM (3 children)
That's the problem with diversity hires.
(Score: -1, Troll) by Anonymous Coward on Wednesday September 15 2021, @09:50PM (2 children)
There's just not enough retarded black lesbians to go around.
(Score: 1) by NPC-131072 on Wednesday September 15 2021, @11:55PM (1 child)
Go around where?
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @12:59AM
Go around from where they came around.
(Score: 2) by Opportunist on Wednesday September 15 2021, @07:20PM (2 children)
Heh. That's easier said than done in some circumstances.
Trust me, I'm (probably) in the same boat as these guys here. If you have to deal with incompatible tech where one hand (the cert renewer) doesn't want to shake the other one (the cert offloader)...
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 15 2021, @08:14PM (1 child)
Running web based validation is problematic when e.g., running multiple web front-ends without shared storage behind them or getting certs for non-webby stuff. But, using DNS validation works around any issues I've seen.
Just setup a subdomain e.g., acme.mydomain.dom, and setup certbot to do all your dyndns stuff for certbot there (no scary dyndns stuff in the root of your domain). A trivial hook script to distribute signed certs, and you are done.
Genuinely curious if you have a use case that can't be worked around by using dns validation. Ditto, curious why this can't be an option for soylent?
Certbot works if you host your own dns or several hosted dns providers are supported too (you can delegate just the dyndns certbot subdomain to one of these providers, if you want to keep your main domain on your existing provider). And, there are several other options for acme dns domain validation besides certbot, if you prefer.
(Score: 1, Interesting) by Anonymous Coward on Thursday September 16 2021, @02:26AM
They can already automate the issuance of certs, I even told them the proper method last time. They just either don’t have an admin with enough time to do so or enough know-how to do so without step-by-step instructions for setting it up. Can’t really blame them as they probably have enough other issues that actually are or at least appear to be better uses of time.
(Score: 5, Informative) by Anonymous Coward on Wednesday September 15 2021, @03:16PM (3 children)
Since you are using Let's Encrypt, you may want to look into running EFF's Certbot. Once set up, it should handle renewals automatically so you don't have to deal with this anymore. It works like a charm for me on my Apache server but it supports a wide variety of hosting options.
https://certbot.eff.org [eff.org]
(Score: 5, Informative) by Thexalon on Wednesday September 15 2021, @03:58PM (1 child)
And if you don't want it completely automated for some reason, you can also set it up to send you a reminder email instead. Very handy.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by coolgopher on Wednesday September 15 2021, @10:34PM
I concur. These days https certs should be set to auto renew. Any CA worth their salt will provide this feature. Personally I use certbot, and at $work it’s auto-renew within the AWS eco system.
Letsencrypt provides easy to follow how-tos on setting it up, and then it’s just a cron job away from not having to worry unless it emails you.
(Score: 4, Informative) by bart9h on Wednesday September 15 2021, @04:38PM
I haven't heard of this certbot, seems nice.
But my server runs OpenBSD, and as usual everything is easy peasy. I just instructed cron to run acme-client (ACME = Automate Certificate Management Environment) once a month, and I'm done.
(Score: 4, Interesting) by owl on Wednesday September 15 2021, @04:08PM
You need to setup something like https://dehydrated.io/ [dehydrated.io] and have it run via cron periodically, and let it auto-renew the certs before they expire.
Then you don't have the problem of "forgetting" to do so before the expiration date.
(Score: 1, Touché) by Anonymous Coward on Wednesday September 15 2021, @05:44PM (1 child)
Soylent News is people, and people make mistakes.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @06:00PM
And we eat them alive.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 15 2021, @09:29PM
He temped fate with his “Uptime” journal.
(Score: 2) by crb3 on Thursday September 16 2021, @12:16AM (2 children)
> P.S. The current certs are due to expire December 14, 2021, Please feel free to remind us as that date approaches!
Crontab yourself a popup reminder on your main console for that. I use Xdialog.
(Score: 3, Touché) by c0lo on Thursday September 16 2021, @01:01AM
And then just make sure your computer is switched off during the holiday season.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @02:14AM
If you ignore the emails Let’s Encrypt sends you and the face that it is fairly easy to automate renewals already, wouldn’t at be a better choice for a single shot command like this to remind yourself?
(Score: 2) by darkfeline on Thursday September 16 2021, @05:42AM
There are out of the box ACME reverse proxies now. You can stick them in front of your HTTP server and it Just Works.
Recently I added TLS to the RSS reader server I set up by simply starting a Caddy container. Having to manage and/or let a cert expire is so 2018.
https://caddyserver.com/ [caddyserver.com]
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @06:03AM (2 children)
Automatic renewal. Problem solved
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @12:55PM (1 child)
are you volunteering to implement it?
(Score: 0) by Anonymous Coward on Thursday September 16 2021, @09:35PM
I'll buy them a copy of TLS Mastery.
(Score: 2) by datapharmer on Thursday September 16 2021, @02:31PM
While I disagree with the decision not to have automatic certificate renewal, you are right - it could fail. In either case you should have monitoring in place. Many solutions are available but statuscake.com offers certificate monitoring for 1 domain for free and I've been very happy with them in general (I don't get anything out of this endorsement, nor do they since I only use their free service, but feel free to use another service as long as you do something to address the root cause!)