Stories
Slash Boxes
Comments

SoylentNews is people

Meta

Log In

Log In

Create Account  |  Retrieve Password


posted by janrinok on Monday February 05, @08:30AM   Printer-friendly

Many of you will have experienced the problems with the expired certificates. Unfortunately, our one remaining sysadmin is away from home until 1400 Monday (US time - tz unknown) and he has been away for a while.

We have requested NCommander and k0lie to assist. They have declined.

We all have real jobs and lives to live too and this is just one of those things.

Unfortunately it seems that the problem will continue for another 36 hours.

UPDATE: Audioguy has fixed the site. Thank you ag! Jan

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1) 2
  • (Score: 5, Insightful) by drussell on Sunday February 04, @12:07PM (32 children)

    by drussell (2678) on Sunday February 04, @12:07PM (#1342997) Journal

    Why are we advertising HSTS anyway?

    If I want to connect insecurely, isn't that my business?

    Shouldn't I be able to pull a 286 out of mothballs and connect with NCSA Mosaic if I wish to?

    • (Score: 3, Interesting) by ElizabethGreene on Sunday February 04, @12:30PM (26 children)

      by ElizabethGreene (6748) Subscriber Badge on Sunday February 04, @12:30PM (#1342999) Journal

      My naive expectation is that Mosaic would ignore the unknown (to it) HSTS header. Do you mind digging out that box and testing it?

      • (Score: 5, Insightful) by drussell on Sunday February 04, @12:40PM (16 children)

        by drussell (2678) on Sunday February 04, @12:40PM (#1343001) Journal

        My naive expectation is that Mosaic would ignore the unknown (to it) HSTS header. Do you mind digging out that box and testing it?

        That was really two separate points...

        I'm asking why we are even trying to force HTTPS-only in any case in the first place?

        Yes, ancient 16-bit Mosaic wouldn't know what HSTS was, it wouldn't even know what HTTPS is. I don't think that even existed before Netscape, IIRC.

        That was my point, why shouldn't I be able to connect to SN insecurely if I choose to, using whatever insecure method or protocol I wish?

        (Sure, if I actually logged in, I would probably wish to securely change my password afterwards, but shouldn't I always be allowed to connect via whatever method *I* choose?)

        • (Score: 4, Informative) by Rosco P. Coltrane on Sunday February 04, @01:43PM (14 children)

          by Rosco P. Coltrane (4757) on Sunday February 04, @01:43PM (#1343002)

          I'm guessing you're running Firefox. It's the only browser that makes it extra difficult to bypass bad certificates when HSTS is asserted.

          Here's the trick: clear data and cookies for the site and reload: the page should show you a warning and an option to continue.

          • (Score: 0) by Anonymous Coward on Sunday February 04, @03:24PM (8 children)

            by Anonymous Coward on Sunday February 04, @03:24PM (#1343003)

            I'm in with Chrome (not my preferred browser), it let me "connect insecurely".

            Then tried your Firefox tip, cleared the soylentnews.com cookie & reloaded the page. Still no joy in my version, the "Advanced" button is still grayed out. But thanks for trying!

            • (Score: 2) by Rosco P. Coltrane on Sunday February 04, @03:28PM (4 children)

              by Rosco P. Coltrane (4757) on Sunday February 04, @03:28PM (#1343005)

              Damn... Well it works with LibreWolf, which is the Firefox variant I use. But maybe LibreWolf actually brought some sanity to this that Firefox isn't blessed with. I assumed straight Firefox would work the same way.

              • (Score: 0) by Anonymous Coward on Sunday February 04, @03:46PM (3 children)

                by Anonymous Coward on Sunday February 04, @03:46PM (#1343008)

                Understood.
                For future reference, this might apply?(grin)

                Never assume, it makes an ass of u and me.

            • (Score: 2) by drussell on Sunday February 04, @03:56PM

              by drussell (2678) on Sunday February 04, @03:56PM (#1343009) Journal

              Just use a blank profile.

              You can get to Profile Manager using about:profiles in the location bar or by invoking with firefox.exe -P.

              I always keep a shortcut to a minimal profile pointing to "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -private -P "minimal" on Windows, or "firefox -private -P "minimal" on FreeBSD.

              (It works here on FireFox 115.7.0/esr on Windows 7 and slightly older FireFox 115.5.0/esr on FreeBSD that I'm currently running here, anyway. "Accept the Risk and Continue" appears.)

            • (Score: 2) by drussell on Sunday February 04, @04:02PM

              by drussell (2678) on Sunday February 04, @04:02PM (#1343012) Journal

              Still no joy in my version, the "Advanced" button is still grayed out.

              That's weird. It should never be greyed out.

              It should at least allow you to view the certificate when you click Advanced even though it doesn't give you the option to Accept the Risk and Continue when it has it's knickers in a knot over HSTS.

              (Panties in a bunch? I'm not ever really sure what FireFox is doing these days... or, more correctly, what Mozilla is doing to Firefox. It's some sort of abuse, whatever it is.)

            • (Score: 2, Interesting) by pTamok on Sunday February 04, @04:20PM

              by pTamok (3042) on Sunday February 04, @04:20PM (#1343013)

              in my version, the "Advanced" button is still grayed out

              Have you tried clicking the 'greyed-out' button? I think it is a 'dark pattern', in that on the version of FF I'm using, although the button is coloured grey, it is still clickable.

          • (Score: 4, Informative) by drussell on Sunday February 04, @03:43PM (1 child)

            by drussell (2678) on Sunday February 04, @03:43PM (#1343007) Journal

            Here's the trick: clear data and cookies for the site and reload: the page should show you a warning and an option to continue.

            On FireFox, it is easier to just load a blank profile to do something like this.

            I have always had a shortcut to loading a "Private - Minimal" profile in a second browser. I actually use a minimal profile and work the web most of the time these days in Private Mode since every site wants to force you to store "required cookies" including things like facebook or google analytics. I just hit "accept minimal," knowing full well that they'll all be deleted as soon as I exit. I only use the "normal" mode of any browser for specific sites anymore. Everything else is in auto-delete private mode in a separate browser instance.

            Upgrading both my main laptops to 16GB of RAM makes this much nicer, works great for running my VMs also, even alongside bloated, memory-leaking browsers, etc. Also recently splurged on Crucial MX 4TB SSDs for the old beasts (10+ years old machines) but it was a bit of a pain to convert over the existing FreeBSD and Windows 7 dual-boot installations' partition to UEFI for the > 2TB, but it's up and running now. It's really nice to be able to completely disable virtual memory again like I always ran on my previous Windows 2000 based laptops. The virtual memory manager on Windows still sucks, it's so much faster and slicker all-around with no pagefile. It's also nicer for longevity of the SSD to not swap.

            $27 CAD for two 8GB SODIMMs of 1600 MHz DDR3 is a steal. Memory is dirt cheap these days. Well worth the money. One of the machines wasn't even running dual channel at all before! The other had 6GB stock, so only the first 2+2GB of it was being accessed in dual channel!! Insane!

            I just wish these machines had M.2 slots for the disks, but even at "only" 600 MB/s SATA, with no seek time it's still certainly better than the old 750 GB WD Caviar. :)

            • (Score: 2) by boltronics on Monday February 05, @07:28AM

              by boltronics (580) on Monday February 05, @07:28AM (#1343064) Homepage Journal

              I use different Firefox profiles also, but hadn't considered using it as a work-around here. Another option would be Mozilla's Multi-Account Containers extension, which is a killer Firefox feature IMO. I don't think any other free software browser has anything quite like it.

              As for RAM, I found 32GB (2x16GB) of Corsair Vengeance DDR4 3200 desktop RAM in my local e-waste bin late last year. It works perfectly. It wasn't even worth the effort to try to sell it, apparently.

              --
              It's GNU/Linux dammit!
          • (Score: 0) by Anonymous Coward on Sunday February 04, @08:02PM (1 child)

            by Anonymous Coward on Sunday February 04, @08:02PM (#1343031)

            Just as a FYI, it works ok with Palemoon. You get a warning and have to accept the risks, but then it works.

          • (Score: 2) by hendrikboom on Monday February 05, @06:52PM

            by hendrikboom (1125) Subscriber Badge on Monday February 05, @06:52PM (#1343182) Homepage Journal

            Chromium on Linux did not allow me to bypass HSTS. Might this be different from Chrome?

        • (Score: 2) by Revek on Monday February 05, @02:15PM

          by Revek (5022) on Monday February 05, @02:15PM (#1343124)

          I connected insecurely with chrome. Its always a option with a expired certificate. With chrome you just type "thisisunsafe" and hit enter.

          --
          This page was generated by a Swarm of Roaming Elephants
      • (Score: 3, Interesting) by SomeGuy on Sunday February 04, @05:57PM (5 children)

        by SomeGuy (5632) on Sunday February 04, @05:57PM (#1343018)

        Well, I'm running Windows 95 with Retrozilla (SeaMonkey 1.8 with encryption updates) and all I had to do was click "continue" on a warning dialog.

        On a side note, I have recently had the task of looking up large amounts of crap on the Internet. I constantly run in to web sites who's certificate has expired. Also, unsurprisingly to me, there are still a number of HTTP only sites.

        • (Score: 5, Funny) by Anonymous Coward on Sunday February 04, @07:50PM

          by Anonymous Coward on Sunday February 04, @07:50PM (#1343027)

          > Well, I'm running Windows 95

          You're not just SomeGuy, you're that guy!

        • (Score: 2) by hendrikboom on Monday February 05, @06:54PM (3 children)

          by hendrikboom (1125) Subscriber Badge on Monday February 05, @06:54PM (#1343183) Homepage Journal

          My website is still http only. It's a static website. Don't see the point in going to all the trouble of expired certificates.

          • (Score: 0) by Anonymous Coward on Tuesday February 06, @01:22AM

            by Anonymous Coward on Tuesday February 06, @01:22AM (#1343245)

            My tiny company static website was http only, and we had no intentions of changing it...but our ISP "upgraded" us to https somehow automagically. This was a couple of years ago, haven't had any problem with certs timing out, so I guess the ISP is renewing them magically as well!

          • (Score: 2) by RS3 on Tuesday February 06, @01:24AM

            by RS3 (6367) on Tuesday February 06, @01:24AM (#1343246)

            I felt the same until recently when I learned about how much ISPs and other "entities" are in fact spying on us and everything we do online. Even with ssl they know who we are, and whatever website we connect to.

          • (Score: 2) by Reziac on Tuesday February 06, @02:15AM

            by Reziac (2489) on Tuesday February 06, @02:15AM (#1343249) Homepage

            Same with mine. Static site with zero scripting and basic HTML. Can't be arsed to change it when there's no reason to do so.

            --
            And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 2) by EvilSS on Sunday February 04, @07:46PM

        by EvilSS (1456) Subscriber Badge on Sunday February 04, @07:46PM (#1343024)
        Not sure about Mosaic but it works fine with Netscape Navigator 9.0.0.6 (posting with it now). Just get a cert warning but it allows bypassing it.
      • (Score: 2) by RS3 on Sunday February 04, @07:53PM

        by RS3 (6367) on Sunday February 04, @07:53PM (#1343028)

        My "normal" browsers won't connect, but I'm writing this in IE 11.0.9600.19596IS running on Win7 Ultimate.

      • (Score: 3, Interesting) by Luke on Monday February 05, @09:11AM

        by Luke (175) on Monday February 05, @09:11AM (#1343075)

        Just compiled Mosaic ... the site defaults to https, I get a 301 error and nothing doing.

        The double-duck won't work either, but google does (http)

    • (Score: 2) by RS3 on Sunday February 04, @07:48PM

      by RS3 (6367) on Sunday February 04, @07:48PM (#1343026)

      (Obviously) some people feel (too) strongly about security. I'm with you- it should be my choice if I attach ssl or plain text. Servers I admin keep port 80 open because there are many links out there pointing to http not https. That said, I'd be okay with a redirect, but again, it's not been an issue.

    • (Score: 3, Insightful) by Opportunist on Monday February 05, @01:32PM (1 child)

      by Opportunist (5545) on Monday February 05, @01:32PM (#1343117)

      HSTS does more than block access to a site if it isn't considered secure. It also changes any http request into a https request before making that request altogether, which disables security downgrade attacks.

      Aside of that, it also means that any mitm attacks get thwarted. If you want to complain, please do so to the millions of idiots who fall for insecure sites and then blame the sites, their ISP or the powers that are for their stupidity.

      • (Score: 2, Informative) by Anonymous Coward on Monday February 05, @05:19PM

        by Anonymous Coward on Monday February 05, @05:19PM (#1343163)

        HSTS does more than block access to a site if it isn't considered secure. It also changes any http request into a https request before making that request altogether, which disables security downgrade attacks.

        Well, not really, HSTS may make a MITM/downgrade attack somewhat more difficult but it cannot actually prevent them since HSTS does not actually do anything for the first connection to a particular domain, and whatever protections it does manage to offer inevitably lapse after some time.

        HSTS only works if the browser has connected via HTTPS previously, and the browser has kept a record of this fact, and the HSTS expiry date has not passed for the domain in question.

        The second point implies that using HSTS is in direct opposition to user privacy (the browser has to keep a record of domains it has previously connected to, otherwise HSTS will not work). Servers can abuse these browser-side HSTS behaviours for information storage to reliably and uniquely identify repeat visitors, in a way that's much less visible to the user than traditional cookies (and some implementations, like the one in Internet Explorer, would keep HSTS records even after deleting browsing history -- I don't know if Edge is better). IMO these problems are much bigger threats to most people than active MITM attacks, and active attacks usually imply some level of targeted attack (where HSTS is unlikely to offer significant protection) so HSTS is really not a great tradeoff.

    • (Score: 2) by Reziac on Tuesday February 06, @02:12AM (1 child)

      by Reziac (2489) on Tuesday February 06, @02:12AM (#1343248) Homepage

      That was my thought too. Why not fall back on an "insecure" connection? and allow it for old systems?

      [Suffers temptation to break out the working 286 and WebSpyder for DOS]

      --
      And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 2) by drussell on Tuesday February 06, @02:27AM

        by drussell (2678) on Tuesday February 06, @02:27AM (#1343252) Journal

        Exactly!

        This isn't someone's online banking, FFS... :)

        Sure, you can connect and login securely if you wish, but for a tech-centric site to actively block using standard HTTP to at least even browse the site seems silly to me.

        "Free SoylentNews!" from the shackles of ..erm.. whatever forced HTTPS is!?! :)

  • (Score: 5, Funny) by Rosco P. Coltrane on Sunday February 04, @12:16PM (1 child)

    by Rosco P. Coltrane (4757) on Sunday February 04, @12:16PM (#1342998)

    I DEMAND 24/7 support because I use the service for free!

    • (Score: 0) by Anonymous Coward on Sunday February 04, @03:27PM

      by Anonymous Coward on Sunday February 04, @03:27PM (#1343004)

      Here, have this girdle -- 24/7 support assured!

  • (Score: 2) by Gaaark on Sunday February 04, @09:33PM (6 children)

    by Gaaark (41) on Sunday February 04, @09:33PM (#1343036) Journal

    The two people with the keys to the Kingdom have declined to help....

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 3, Informative) by drussell on Sunday February 04, @10:15PM

      by drussell (2678) on Sunday February 04, @10:15PM (#1343037) Journal

      To be fair, it seems that one of those people doesn't actually have the access that we thought, so it's not their fault for "not helping."

    • (Score: 5, Informative) by kolie on Monday February 05, @06:29PM (4 children)

      by kolie (2622) on Monday February 05, @06:29PM (#1343175) Journal

      I didn't decline to help. I was out of town with no computer access traveling with my children. I offered assistance when I was able again. Hard to help only on my phone. Per my email - I would support this AM if it wasnt resolved. Also other people had the keys, as you have now seen.

      • (Score: 4, Interesting) by janrinok on Monday February 05, @06:45PM (2 children)

        by janrinok (52) Subscriber Badge on Monday February 05, @06:45PM (#1343181) Journal

        It seems that Americans interpret 'decline' as something negative, which is not quite the same as my experience on this side of the pond. There was no offence intended and I explained this earlier here : https://soylentnews.org/comments.pl?noupdate=1&sid=59699&page=1&cid=1343102#commentwrap [soylentnews.org]. One might decline an extra piece of cake without anyone taking any offence over it, or to decline an invitation to go out one evening.

        There are only 3 people who now have the keys, NCommander, Audioguy and yourself. Audioguy had been away from home for over a week and was just beginning his long journey back. There was nobody else.

        • (Score: 3, Informative) by RS3 on Monday February 05, @08:26PM

          by RS3 (6367) on Monday February 05, @08:26PM (#1343202)

          > It seems that Americans interpret 'decline' as something negative

          'American' here, and yes, I agree with your observation. In fact most Americans interpret many words as having some kind of emotional weight. Makes verbal communication very tricky, especially when some people interpret a given word differently from other people. Of course context is often key.

        • (Score: 3, Insightful) by Reziac on Tuesday February 06, @02:20AM

          by Reziac (2489) on Tuesday February 06, @02:20AM (#1343250) Homepage

          In American English. "declined to help" means "said they won't help" without qualification, and tends to imply a snub.

          Anyway, I am glad to hear it was no such thing, and instead was the perfectly reasonable "can't get there from here".

          Very happy the site is back, and thank you all for making it so.

          --
          And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 2) by Gaaark on Monday February 05, @09:49PM

        by Gaaark (41) on Monday February 05, @09:49PM (#1343215) Journal

        App-alogies to everyone!

        Yeah, 'declined' does kind of trigger...

        Thanks everyone for the good work. SN goes back to 11!! ;)

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 1) by Runaway1956 on Monday February 05, @01:29AM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Monday February 05, @01:29AM (#1343046) Journal

    Set a reminder that the site's certs expire on Feb 1.

    Hey Google!

    Set a reminger that the site's certs expire on Feb 2.

    Hey Google!

    Set another reminder that the site's certs really do expire on Feb 3.

  • (Score: 4, Disagree) by sigterm on Monday February 05, @02:13AM (14 children)

    by sigterm (849) on Monday February 05, @02:13AM (#1343048)

    I'm going to say this plainly and clearly: There is absolutely no excuse for this.

    Certificate renewal can and should be automated. I'm managing a number of servers running various services that rely on TLS certificates, and I, as the sole sysadmin, have to do precisely nothing in order to ensure that the services keep running with valid certificates at all times.

    Setting up a cron job running an autoupdate script (that will trigger an e-mail should something go wrong) took me all of 15 minutes. That included some custom scripting to trigger a certificate reload on the e-mail service, the HA proxy, and the SSL VPN service.

    This is not hard. In fact, it's the exact opposite. Anyone who's ever been in somewhat close proximity to a command prompt should be able to do it.

    SoylentNews is supposed to be a site for and by techies. Get this fixed.

    • (Score: 4, Insightful) by RS3 on Monday February 05, @03:38AM

      by RS3 (6367) on Monday February 05, @03:38AM (#1343053)

      I agree in part, and respectfully disagree in part.

      As much as I love automation, I considered setting up cron to do certs updates on servers I admin, but I really don't need my life disrupted by things going awry when I don't have the time to deal with the problem, the stress and hassle aside.

      Have you offered to help with SN admin?

    • (Score: 0) by Anonymous Coward on Monday February 05, @06:36AM (1 child)

      by Anonymous Coward on Monday February 05, @06:36AM (#1343059)
      I think it's a wildcard cert. It's slightly trickier to automate renewal of Let's Encrypt wildcard certs - need some DNS stuff.

      For my organization I use a non-wildcard cert with lots of alt-names and that's easier to renew - just involves pfSense's HA Proxy (doesn't even involve any of the backend webservers/websites and doesn't require any DNS changes). Let's Encrypt's limit is 100 alt names which is more than enough for us.

      Maybe SN's usage requires a wildcard cert.
      • (Score: 2) by RS3 on Monday February 05, @04:11PM

        by RS3 (6367) on Monday February 05, @04:11PM (#1343146)

        Just checked- yup, *.soylentnews.org

        Thanks for pointing that out- that's another thing to fix.

    • (Score: 2) by darkfeline on Monday February 05, @06:36AM

      by darkfeline (1030) on Monday February 05, @06:36AM (#1343060) Homepage

      +1. In the age of ACME, you can slap Caddy in front of anything and get TLS cert renewal for free.

      --
      Join the SDF Public Access UNIX System today!
    • (Score: 5, Insightful) by pTamok on Monday February 05, @09:25AM (1 child)

      by pTamok (3042) on Monday February 05, @09:25AM (#1343081)

      There is absolutely no excuse for this.

      Certificate renewal can and should be automated. I'm managing a number of servers running various services that rely on TLS certificates, and I, as the sole sysadmin, have to do precisely nothing in order to ensure that the services keep running with valid certificates at all times.

      There are enough people who can offer technical solutions, but the root cause is not a technical one.

      Soylentnews is stuck in a limbo transitioning from one group of people who own/take responsibility for the site and a possible other group. You may have noticed the difficulty in finding some volunteers to serve on the board of new organisation to take over Soylentnews. The governance issues surrounding the transfer to enable the continuing 'life' of Soylentnews have been gnarly - just look at the governance IRC logs, and the Meta postings regarding this, plus the journals of some of the involved people.

      So the certificate expiry was not a technical problem as such, but caused by a long-term and ongoing people problem, which is proving difficult to solve.

      If you have the ability and wish to serve to help Soylentnews continue, please volunteer, The site needs people, and once the site has people to fill the legally necessary positions, technical solutions to some of the problems (like manual certificate renewal) can be addressed. The site needs some unpaid volunteers who can, amongst other things, fill the legally required roles in the new organisation. If you can volunteer, please do so. I can't, and regret it.

      • (Score: 3, Insightful) by sigterm on Monday February 05, @11:20AM

        by sigterm (849) on Monday February 05, @11:20AM (#1343099)

        There are enough people who can offer technical solutions, but the root cause is not a technical one.

        Absolutely, and that was my point. The technical fix is easy, and there are myriads of people who can do it. That leaves only two possible reasons for why it hasn't been done: 1) Those in charge doesn't know that the task needs doing, or 2) they are unable or unwilling to recruit the right people.

        Soylentnews is stuck in a limbo transitioning from one group of people who own/take responsibility for the site and a possible other group.

        Translation: The previous guys didn't know how to run the site properly, and it seems neither do the new guys.

        You may have noticed the difficulty in finding some volunteers to serve on the board of new organisation to take over Soylentnews.

        I have indeed.

        The governance issues surrounding the transfer to enable the continuing 'life' of Soylentnews have been gnarly - just look at the governance IRC logs, and the Meta postings regarding this, plus the journals of some of the involved people.

        I've read the meta posts, and they gave me a headache. It was all about how person X failed to communicate with person Y, so persons A and B got involved, which resulted in endless bickering, long posts about $person_X being a primadonna, but how it wasn't really $person_Y's fault that everything consistently went haywire, and also red tape and legal issues.

        For some reason, I find this hasn't inspired confidence in either the process or the people involved. Sorry, that's just how it is.

        So the certificate expiry was not a technical problem as such, but caused by a long-term and ongoing people problem, which is proving difficult to solve.

        I hate to say it, but this is entirely an issue with management. Or rather the complete lack thereof.

        If you have the ability and wish to serve to help Soylentnews continue, please volunteer, The site needs people, and once the site has people to fill the legally necessary positions, technical solutions to some of the problems (like manual certificate renewal) can be addressed.

        I highly doubt anyone would be willing to hand me (or anyone else) the required powers to actually fix these serious, persistent issues.

        As things stand, I'm not touching this dumpster fire with a barge pole.

    • (Score: 2) by Opportunist on Monday February 05, @01:38PM (7 children)

      by Opportunist (5545) on Monday February 05, @01:38PM (#1343120)

      Oh good, you'll do the helping with the automatization of their renewal process because I don't have the time to anyway.

      Thanks a bunch.

      • (Score: 2) by sigterm on Monday February 05, @05:46PM (6 children)

        by sigterm (849) on Monday February 05, @05:46PM (#1343169)

        As others have pointed out, this is not a technical issue. Automating the certificate renewal process would take an absolute neophyte about 10 minutes of googling.

        The systemic issues that lead to this not being done is not something I can fix, and besides they're not asking for help with that.

        • (Score: 3, Informative) by drussell on Monday February 05, @06:39PM (4 children)

          by drussell (2678) on Monday February 05, @06:39PM (#1343179) Journal

          Automating the certificate renewal process would take an absolute neophyte about 10 minutes of googling.

          Bullshit!

          There are multiple servers involved, there are things like files to be transferred, daemons that need to be flogged or restarted requiring scripts to be written, you're being absurdly disingenuous.

          If what you imply were actually true, it would have been fully automated properly already.

          (By the way, there are plenty of things that were previously automated, or at least well documented for other admins than the various persons who set up item A B and C, or X Y and Z to follow and maintain relatively easily on a live site before ahem someone ahem rode in, smashed up the place, broke everything and then ran away, leaving everyone else in a lurch with their hands in the air going "WTF?!")

          Demeaning the remaining people who are trying to hold the place together and find a trajectory out of the mess isn't exactly "helping" the situation in any way, now is it there, Mr. -15?" 🙄

          • (Score: 3, Insightful) by sigterm on Tuesday February 06, @04:38AM (3 children)

            by sigterm (849) on Tuesday February 06, @04:38AM (#1343270)

            Automating the certificate renewal process would take an absolute neophyte about 10 minutes of googling.

            Bullshit!

            Really? As it happens, I've done this more times than I care to remember.

            It used to be a bit of a pain, back when it involved dynamically updating DNS records at an external provider, either by using some proprietary API, or by scraping their management web site (which could of course change at any time, thus breaking your setup).

            But now, with Let's Encrypt? There are multiple tools available, and you pretty much have to make a conscious effort not to find them. If you can make a text file containing your domain names on separate lines, you can automate the certificate renewal process.

            There are multiple servers involved, there are things like files to be transferred, daemons that need to be flogged or restarted requiring scripts to be written, you're being absurdly disingenuous.

            No, I'm not. Copying files to other servers is not hard. Sending reload signals to processes, or restarting them if they lack a reload mechanism, isn't hard. In fact, it's such basic sysadmin work that if you can't do it, you have no business being anywhere near a server.

            Example: Use dehydrated, put the commands doing all the above in the "hook" script, done.

            If what you imply were actually true, it would have been fully automated properly already.

            So if something doesn't work, then it must be hard, because otherwise it would have been fixed? Now who's being ridiculous?

            All the thousands upon thousands of volunteer- and hobbyist-run websites and forums that seem to manage to renew their certificates every 90 days, are they all run by geniuses?

            BTW, you get warnings weeks ahead of a certificate expiring. Is reading a mail also very hard, since evidently no-one did?

            Demeaning the remaining people who are trying to hold the place together and find a trajectory out of the mess isn't exactly "helping" the situation in any way, now is it there, Mr. -15?"

            I'm not demeaning anyone. I'm pointing out that simple stuff wasn't done, and that the explanation for that isn't "oh, it's so hard." I'm suggesting that all the back-and-forth that's been going on for years at this time has not only left the site without proper admins, but also made most people hesitant to volunteer.

            And for that I've been shouted at, called a liar, and had my posts modded "troll" and "flamebait," although they quite obviously are neither. SoylentNews is indeed people, and what a great bunch they are. I'm sure this exchange has inspired lots of readers to volunteer.

            • (Score: 2) by drussell on Tuesday February 06, @04:52AM (2 children)

              by drussell (2678) on Tuesday February 06, @04:52AM (#1343273) Journal

              I'm pointing out that simple stuff wasn't done, and that the explanation for that isn't "oh, it's so hard."

              Nobody said it was "so hard", it is more that nobody with enough time has the access to do it, and there is the omnipresent danger that the person that screwed it up in the first place is going to run in at any moment and break stuff again. Until that situation is dealt with, the systems are all basically in static, maintenance-only mode.

              You may not like this, or agree with it or the reasons for it, but it is a fact.

              Please stop being obtuse, friend. ;)

              • (Score: 3, Insightful) by sigterm on Tuesday February 06, @05:19AM (1 child)

                by sigterm (849) on Tuesday February 06, @05:19AM (#1343279)

                Nobody said it was "so hard", it is more that nobody with enough time has the access to do it

                How is this not exactly my point?

                • (Score: 3, Insightful) by drussell on Tuesday February 06, @05:24AM

                  by drussell (2678) on Tuesday February 06, @05:24AM (#1343281) Journal

                  It is not an insurmountable problem, but it is a lot harder than "any neophyte with about 10 minutes of googling" can do, for goodness sake...

                  Whatever, man.

                  Keep just complaining then, I guess. You do you.

        • (Score: 2) by Opportunist on Monday February 05, @09:04PM

          by Opportunist (5545) on Monday February 05, @09:04PM (#1343209)

          Since I am responsible for a server with a very particular setup I can say that in theory it's a trivial task for the intern, but in practice there can be an awful lot of pitfalls that can cause trouble.

          I wouldn't say that it has to be easy... but I'd like to know what the pitfall is in this case.

  • (Score: 5, Informative) by pTamok on Monday February 05, @09:14AM (1 child)

    by pTamok (3042) on Monday February 05, @09:14AM (#1343077)

    # echo | openssl s_client -servername -connect soylentnews.org:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
    issuer=C = US, O = Let's Encrypt, CN = R3
    subject=CN = *.soylentnews.org
    notBefore=Feb 5 03:53:46 2024 GMT
    notAfter=May 5 03:53:45 2024 GMT

    I hope things are either automated by then, or we have better admin coverage.

    Don't take this as criticism of the current volunteer admin: they are allowed to have a life too.

    I'm grateful they found the time to solve the immediate problem.

    • (Score: 2) by chromas on Monday February 05, @10:55AM

      by chromas (34) Subscriber Badge on Monday February 05, @10:55AM (#1343093) Journal

      I hope things are either automated by then, or we have better admin coverage.

      I gave you a +1, Funny

  • (Score: 5, Informative) by quietus on Monday February 05, @10:38AM (36 children)

    by quietus (6328) on Monday February 05, @10:38AM (#1343088) Journal
    From the sub:

    We have requested NCommander and k0lie to assist. They have declined.

    This is not true. I've contacted k0lie on Sunday morning, CET, somewhere around 10 o'clock. He was willing to help out, but he simply couldn't, as he was out with his family, and only had his smartphone with him.

    (Given all the flak he has received here, I wonder why he even bothers -- but he still does care, it seems.)

    • (Score: 3, Insightful) by sigterm on Monday February 05, @11:30AM (35 children)

      by sigterm (849) on Monday February 05, @11:30AM (#1343101)

      From the sub:

      We have requested NCommander and k0lie to assist. They have declined.

      This is not true. I've contacted k0lie on Sunday morning, CET, somewhere around 10 o'clock. He was willing to help out, but he simply couldn't, as he was out with his family, and only had his smartphone with him.

      Even if it were true, this passive-aggressive attempt to publicly shame the previous admins exemplifies the complete lack of professionalism on the part of whoever is currently managing this site. (Not saying the previous bunch were any better.)

      My message to the admins is: I don't care who was asked, and whether or not they declined to assist. They're not in charge. Stop trying to pass the buck, and stop airing dirty laundry in public, unless the point is to make sure nobody sane is willing to volunteer for anything.

      • (Score: 5, Informative) by janrinok on Monday February 05, @11:44AM (34 children)

        by janrinok (52) Subscriber Badge on Monday February 05, @11:44AM (#1343102) Journal

        There is nothing at all shameful about someone declining to help, particularly if they are living their private lives as we all want to do. The line following that comment explained exactly that:

        We all have real jobs and lives to live too and this is just one of those things.

        Everybody on this site is a volunteer. We have always recognised that and it has been mentioned in recent comments by both myself and others that people are only expected to give as much of their time as they are happy to do, and there is no-one that will badger any volunteer into doing more than they are prepared to do.

        The comment was made because the first obvious question would have been 'Have you asked X' to help. Yes we had, and no they were unable to do so.

        The fact that k0lie does not have access to this specific area of the site was made clear sometime later and again was acknowledged in the comments and discussion.

        Like it or not, the current Board IS still responsible for this site, and 2 members of that 3-man Board have worked with some aspects of our infrastructure. They were asked if they were prepared to help, they said 'no'. That was all perfectly normal. You are reading far more into what was written than it actually said.

        • (Score: 3, Insightful) by sigterm on Monday February 05, @11:58AM (32 children)

          by sigterm (849) on Monday February 05, @11:58AM (#1343104)

          They were asked if they were prepared to help, they said 'no'. That was all perfectly normal. You are reading far more into what was written than it actually said.

          Perhaps I am.

          Now, imagine that one day, GMail stops working. On their site, Google writes "We asked $person to help. They declined."

          How would you interpret that?

          You really need to start differentiating between internal and external communications. To someone on the outside just reading the various meta posts, SoylentNews looks horribly mismanaged. That may not be (entirely) true, but perceptions do matter.

          I'm not at all surprised that you find it difficult to recruit volunteers. You couldn't pay me enough to participate in what seems to be a fundamentally broken process.

          • (Score: 3, Informative) by janrinok on Monday February 05, @12:30PM (1 child)

            by janrinok (52) Subscriber Badge on Monday February 05, @12:30PM (#1343106) Journal

            How would you interpret that?

            I would interpret that as they had said 'No'. No reason was given and therefore one cannot be assumed.

            You couldn't pay me enough to participate in what seems to be a fundamentally broken process.

            But in the absence of anyone volunteering to help manage the site we have no other options but to carry on trying to do it within ever decreasing numbers of staff.

            I simply want to be an editor. The other roles that I appear to now have are because the previous incumbent of that post has been unable to continue because of ill health, or because nobody else is stepping up to the plate. I will accept your criticism in the spirit in which (I think) it was intended but without additional support and resources I can do very little to change it. There may be a list of names on our "who's who" page - but they (for perfectly valid and understandable reasons) are not actually filling those roles on a regular basis.

            For me to step down from one of my roles would require someone else to join the team and take over.

            By all means have a vote of no confidence in me (my doctor would be overjoyed if you did, as would aristarchus!). I am a big boy and I can accept the results. Just make sure that you have a others waiting to assume the roles that I vacate.

            • (Score: -1, Flamebait) by sigterm on Monday February 05, @12:51PM

              by sigterm (849) on Monday February 05, @12:51PM (#1343108)

              I would interpret that as they had said 'No'. No reason was given and therefore one cannot be assumed.

              Really. I guess you're a very special individual, then.

              Or alternatively you're so unwilling to accept any kind of criticism that you'd rather make patently absurd statements. Sorry for being so blunt.

              But in the absence of anyone volunteering to help manage the site we have no other options but to carry on trying to do it within ever decreasing numbers of staff.

              You do get to a point where things start spiraling, and then radical measures are needed to get the project back on track. That's how SoylentNews got started in the first place.

              Think about it: This is a site filled with technically-minded people. How on Earth can it be, then, that you're struggling to find volunteers? After all, you're trying to recruit from the same pool that's essentially the backbone of the Free Software movement.

              Finding people willing to donate some time and expertise should be a breeze. That fact that it's not should tell you something. And no, the lesson isn't that "it's the children who are wrong!"

              I myself volunteer on a lot of various projects locally. Would I be willing to spend a few hours every week helping to run a site? Sure, if I thought I could do any good and that my efforts wouldn't be wasted.

          • (Score: 1) by pTamok on Monday February 05, @12:30PM (2 children)

            by pTamok (3042) on Monday February 05, @12:30PM (#1343107)

            You couldn't pay me enough to participate in what seems to be a fundamentally broken process.

            You could be the change that makes things work and unbreak the process. How about it? No money, but compensated by plenty of criticism and hostility, and unsolicited advice. What's not to like?

            I think one needs to be a very good, competant, experienced 'people person' to get things going. I'm not one, despite (or maybe, because of) having managed a large technical team for many years BHP*. The technology is the easy bit.

            *Before Health Problems

            • (Score: 2) by sigterm on Monday February 05, @01:01PM (1 child)

              by sigterm (849) on Monday February 05, @01:01PM (#1343111)

              How about it? No money, but compensated by plenty of criticism and hostility, and unsolicited advice. What's not to like?

              This.

              I think one needs to be a very good, competant, experienced 'people person' to get things going.

              And you need to know how to properly manage a team. Turns out that having a single developer/admin working alone, setting his own schedule and priorities, doesn't ever work, regardless of his/her technical competence.

              Also, there's something called "succession planning." And "risk management." And lots of other stuff that SoylentNews would have benefited greatly from implementing.

              I'm a bit tired of the "but we're all volunteers" excuse being constantly put forward. Yes, you're volunteers, meaning you willingly took on the responsibility to do a thing, without compensation. Which means you're now expected to do the thing, because if you don't, you've broken your word and you shouldn't have signed up in the first place.

              Of course, there may be too few volunteers signed up to do the thing, in which case the person recruiting the volunteers didn't do a good enough job. And if the recruiter is also a volunteer, see the previous paragraph.

              • (Score: 4, Insightful) by pTamok on Monday February 05, @01:18PM

                by pTamok (3042) on Monday February 05, @01:18PM (#1343114)

                Sometimes volunteers sign up in good faith, and only later find they lack the necessary skills. And sometimes circumstances change, so they are no longer able to carry out the role.

                I volunteer for a different organisation, and things have changed since I started, so I would happily hand over to someone else, but for various reasons, there are no volunteers. So I carry on, doing a less than perfect job, on the basis that doing something is better than nothing. One of the key people is likely to leave soon, and if they go, I go. Which means an organisation that provides a well-liked and well-used service will cease to operate.

                The parallels with Soylentnews are obvious, and while I would like both Soylentnews and the other organisation that I volunteer for to continue, I cannot make it so.

                Managing an organisation staffed by volunteers is very different to one staffed by employees. I certainly do not have the skills to recruit and manage volunteers.

          • (Score: 4, Insightful) by bzipitidoo on Monday February 05, @01:04PM (18 children)

            by bzipitidoo (4388) on Monday February 05, @01:04PM (#1343112) Journal

            What is your experience with such matters? Have you run a website yourself?

            Yes, the cert expiration is embarrassing. But who should be embarrassed? SN? Maybe Firefox? I have long argued that the cert system is badly designed and implemented. It's ridiculous that at an arbitrary time, a cert should instantly go from working perfectly to considered possibly compromised and completely broken. What are the odds that the cert really has been compromised? Very low. Practically none, unless the system itself compromises them by, for instance, publishing the private keys. It's similar to password expiration every 90 days, forcing all the users to contrive new passwords. Firefox could mitigate this by dialing down the fear and continuing to work with an expired cert. So it has expired by 1 or 2 days, so what? Just how long an expired cert should be worked with is another question. A month, maybe? Maybe a whole year? If we're going to use time at all to crash certs, we ought to be far more generous with the time spans.

            A couple months ago, I experienced Firefox throwing a hissy fit about an invalid cert on their own website, mozilla.org! The cert did not become valid until 3 days in the future! How stupid is that? The problem was that my computer's clock was wrong. It was 3 days slow. And Firefox never questioned that, but ran with it. A wait of 15 minutes or so, for the OS to update the system time with NTP, and the problem went away. Mozilla was a little too on the ball there, rolling out a shiny new cert the day it became valid. Why did their cert even have a start time, why couldn't it be considered good even if your computer thinks it's the Stone Age?

            • (Score: 2) by RS3 on Monday February 05, @03:36PM (4 children)

              by RS3 (6367) on Monday February 05, @03:36PM (#1343136)

              I share your good points and questions. I asked the web. Got an answer but I'm too frustrated to elaborate:

              https://letsencrypt.org/2015/11/09/why-90-days.html [letsencrypt.org]

              • (Score: 3, Insightful) by bzipitidoo on Monday February 05, @04:44PM (3 children)

                by bzipitidoo (4388) on Monday February 05, @04:44PM (#1343152) Journal

                I don't agree with Let's Encrypt's arguments. Encourage automation? Really? I once had a router with automatic refreshing of a free dyndns account. Then, dyndns changed their policies, thus rendering the router's ability useless. So much for automation. I changed to no-ip, and that worked for a short while. Made a script to automate that. Then my ISP started routing incoming HTTP and HTTPS traffic to null, as far as I could tell. Didn't matter whether I was using dyndns or no-ip, my web site was made invisible to the outside world. (And of course, that made my new script useless.) And, it may be that's a good thing. In another year, the damned MAFIAA became more aggressive about accusing ISP customers of piracy, and I received a few accusations, some of which were clearly erroneous. With that going on, the last thing I needed was to have my website visible, giving the MAFIAA the goods on just who I am, ruining my ISP's efforts to stonewall the MAFIAA by refusing to tell them who is connected to a particular IP address at whatever particular moment.

                So that's 3 changes over the space of perhaps a decade. Also in this time period was the big move away from HTTP to HTTPS. And there are still other new RFCs with yet more changes to the ecosystem, stuff to do with validating websites to prevent spoofing, that sort of thing. The parts of the ecosystem in commercial hands I regard as unreliable. Do you recall the proposal a private equity group made to buy .org? They were too obviously looking to gouge the community. They wouldn't say what their plans were, probably because they realized that if we knew, we would reject their offer posthaste.

                • (Score: 2) by RS3 on Monday February 05, @05:14PM (2 children)

                  by RS3 (6367) on Monday February 05, @05:14PM (#1343161)

                  Great points, and not even what I was thinking and frustrated about.

                  Generally I hate the "one size fits all" concept. Coupled with the concept that because someone abuses something, we all have to suffer. I realize some things are difficult to deal with without sweeping generalized rules (like speed limits for driving).

                  For example, because someone somehow, I don't know how, keeps a private key exposed (incorrect file permission / ownership / directory), everyone has to be forced to renew every 90 days?

                  I poked through some of the public key certs on this very computer and some are good until 2036. That's 84 in dog years! :)

                  As to automation, I've had this (stupid) argument on greensite: automation is effing great until something goes wrong, and the fix takes far far far more time and effort to do than just the simple task of doing it manually. Not to mention the downtime.

                  Then, as I mentioned above, I'd rather do the task when I know I have time and can commit attention to fixing the problem if the update crashes. How many of us have experienced an OS (any) update crashing a computer. Or preventing it from even booting? I certainly have, with all common OSes, and I'd rather do it while watching what's happening. Sure, logs are great, if necessary things get logged. But my experience with too many log files: tons and tons of unneeded stuff to wade through, but you never find the details of what went wrong. Sometimes the thing crashes so hard and fast it never gets to write out the log.

                  Anyway, a lot of years of experience has taught me to write scripts to do the grunt work, and run the scripts while there watching the thing.

                  Yes, I do allow some things to run cron, like daily backups, status reports, and a list of others.

                  Oh, and then we have lovely MS Windows. How many times I've watched someone trying to use a Windows computer to do something live, like PowerPoint, or just play a video, or run live streaming, and of course Windows HAS to update in the middle. And as most of us know and have experienced, it's not some little patch, it's tens of minutes of churning and churning and rebooting. I remember when Win7 came out- how many times it would have to reboot during the many updates. Ugh.

                  • (Score: 1) by khallow on Monday February 05, @05:50PM

                    by khallow (3766) Subscriber Badge on Monday February 05, @05:50PM (#1343172) Journal
                    Not seeing the problem myself - I autobill you for stuff that didn't happen, and you autopay me. Hurray for automation!
                  • (Score: 3, Insightful) by owl on Tuesday February 06, @02:10PM

                    by owl (15206) on Tuesday February 06, @02:10PM (#1343328)

                    For example, because someone somehow, I don't know how, keeps a private key exposed (incorrect file permission / ownership / directory), everyone has to be forced to renew every 90 days?

                    That's Letsencrypt's publicly offered excuse, and while a somewhat valid reason, I have always suspected it was not the real "back room" reason.

                    I've always suspected the real reason for 90 days is that SSL certs used to be big, very high profit margin, business (i.e., they used to cost upwards of several hundred dollars to obtain from a registrar, and all the registrar did was let their 'automation' sign your request). Along comes letsencrypt, wanting to offer 'free' certs. Well, the existing players would see this as "lost profits". So I'd bet the existing SSL mafia made them an offer they could not refuse: "ok, we will give you a 'cert issuing cert', but only on the condition that your certs expire quickly so we can keep our gravy train running selling certs that last for years.

                    As to automation, I've had this (stupid) argument on greensite: automation is effing great until something goes wrong, and the fix takes far far far more time and effort to do than just the simple task of doing it manually.

                    Yes, but this is usually not the reason to automate. The reason to automate repetitive tasks is that us pesky humans are terrible at remembering that "every month, on the 8th day of the month, I've got to go do this little manual task that takes 47 seconds to complete, in order to keep the site running".

                    If you compare the number of times the pesky human will forget the task on the 8th, and add up the downtime because they forgot the repetitive task, and compare to the downtime from the few instances where the automation breaks and has to be repaired, you'll likely find the sum total is much much larger when the pesky human is trying to remember to do "monthly task X" vs. when "monthly task X" is automated, but every 4.5 years, the automation breaks and needs some oil and a few bolts tightened.

            • (Score: 1, Insightful) by Anonymous Coward on Monday February 05, @10:43PM

              by Anonymous Coward on Monday February 05, @10:43PM (#1343229)

              What are the odds that the cert really has been compromised? Very low. Practically none, unless the system itself compromises them by, for instance, publishing the private keys.

              Key validity dates cause a lot of problems and do not serve a useful security purpose in my opinion. Let's encrypt describes just two advantages [letsencrypt.org] to short key expiration, only one of which has anything at all to do with security:

              They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.

              I think this argument is specious.

              • In either scenario, 90 days is more than enough time to do a significant amount of bad things. Waiting for certificate expiration is a very weak defense.
              • It is not normal to generate new private keys when renewing a certificate. In typical usage, an expiration does not actually achieve anything in the case of stolen keys, because someone has to actually notice the key compromise before renewing the certificate for more time. If they notice, then the appropriate course of action is to revoke the certificate, not wait for its expiration (although X.509's revocation system does have a lot of problems).
              • If an attacker was able to get a certificate mis-issued to them (without compromising the private keys), it is silly to believe that they can't just do the same thing again 90 days later. For example, Let's Encrypt will issue a certificate to literally anyone who can MITM the connection between Let's Encrypt and a target web server, or if they can forge DNS results for Let's Encrypt. If you can do either of these once, you can probably do it again.
            • (Score: 2) by Reziac on Tuesday February 06, @02:27AM (11 children)

              by Reziac (2489) on Tuesday February 06, @02:27AM (#1343253) Homepage

              In SeaMonkey I got an OMG message I'd never seen before (sorry I didn't save it). Usually (not always) I can choose to permanently bypass a failed cert, and life goes on as before. But this fail did not give me the option, and instead spit up some long technical complaint. Maybe a function of how the cert is issued? I have no idea.

              --
              And there is no Alkibiades to come back and save us from ourselves.
              • (Score: 2) by drussell on Tuesday February 06, @02:59AM (10 children)

                by drussell (2678) on Tuesday February 06, @02:59AM (#1343258) Journal

                SeaMonkey 2.53.18.1 worked fine for me here yesterday on Windows 7.

                • (Score: 2) by drussell on Tuesday February 06, @03:01AM

                  by drussell (2678) on Tuesday February 06, @03:01AM (#1343260) Journal

                  (Clicking though the warnings added an exception in Certificate Manager, which I manually deleted this morning once the new certificate was live.)

                • (Score: 2) by Reziac on Tuesday February 06, @03:11AM (8 children)

                  by Reziac (2489) on Tuesday February 06, @03:11AM (#1343261) Homepage

                  SM 2.49.4 on XP64 (I'll see your retro, and raise you...) and it was only with SN during the Great Cert Fail, nowhere else.

                  However, I made the reasonable assumption someone would fix it and notice would go out, and here we are!

                  --
                  And there is no Alkibiades to come back and save us from ourselves.
                  • (Score: 2) by drussell on Tuesday February 06, @04:05AM (3 children)

                    by drussell (2678) on Tuesday February 06, @04:05AM (#1343266) Journal

                    I still have several laptops that I use on a regular basis that run Windows 2000...

                    Like, my main two VirtualDJ laptops still run 2000, for instance.

                    • (Score: 2) by Reziac on Tuesday February 06, @04:31AM (2 children)

                      by Reziac (2489) on Tuesday February 06, @04:31AM (#1343269) Homepage

                      LOL, you win on Windows. But right next to me is my DOS gaming PC...

                      --
                      And there is no Alkibiades to come back and save us from ourselves.
                      • (Score: 2) by drussell on Tuesday February 06, @04:54AM (1 child)

                        by drussell (2678) on Tuesday February 06, @04:54AM (#1343274) Journal

                        TI-99/4a with the homebrew Munch Man II ROM cartridge in it. ;)

                        • (Score: 2) by Reziac on Tuesday February 06, @05:15AM

                          by Reziac (2489) on Tuesday February 06, @05:15AM (#1343277) Homepage

                          Oy! you are positively prehistoric!

                          But I use the DOS machine every day...

                          [Come to mention it, why do I run the irreplaceable DOS app in a VM instead on the damn DOS machine??]

                          --
                          And there is no Alkibiades to come back and save us from ourselves.
                  • (Score: 3, Interesting) by drussell on Tuesday February 06, @04:28AM (3 children)

                    by drussell (2678) on Tuesday February 06, @04:28AM (#1343268) Journal

                    SeaMonkey 2.9.1 (ca ~2012) on my "main" ASUS Z70v (I have three of them) is way to old to even communicate with "modern" HTTPS cyphers, it just says:

                    Page Load Error
                    Secure Connection Failed

                    An error occurred during a connection to soylentnews.org.
                    Cannot communicate securely with peer: no common encryption algorithm(s).

                    (Error code: ssl_error_no_cypher_overlap)

                    The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
                    Please contact the website owners to inform them of this problem.

                    Firefox 12.0 on there says basically the same message, but adds "Alternatively, use the command found in the help menu to report this broken site."

                    It's kind of annoying that it doesn't work, it is in the history and "awesome bar" in FireFox that I have (and I KNOW I did, many, MANY times on that machine) accessed https://soylentnews.org [soylentnews.org] and trying http:// just indiscriminately redirects to https://

                    Can we please go back to allowing some old, "insecure" https, and/or at least plain HTTP, for goodness sake?!!

                    I'd really like SN to be fully old school capable!! ...

                    • (Score: 2) by Reziac on Tuesday February 06, @04:42AM (2 children)

                      by Reziac (2489) on Tuesday February 06, @04:42AM (#1343271) Homepage

                      Hah, it hasn't been that many years since I was forced to give up using Netscape 3 (the performance difference is awesome) ... and https was the primary reason. (I still have it installed for FTP sites, because it's so much more efficient.)

                      The error I got had a whole bunch of debug-style gobblegook. Not the normal complaint at all!

                      --
                      And there is no Alkibiades to come back and save us from ourselves.
                      • (Score: 3, Interesting) by drussell on Tuesday February 06, @05:18AM (1 child)

                        by drussell (2678) on Tuesday February 06, @05:18AM (#1343278) Journal

                        Hah, it hasn't been that many years since I was forced to give up using Netscape 3 (the performance difference is awesome)

                        Yeah, the old stuff is so much less bloated. Especially on something like 2K on a Pentium M with 1GB of RAM and paging disabled. I used 2K as my main laptop Windows OS (also dual boot to FreeBSD, but some interoperability was just easier with Windows out in the field for servicing things,) basically until the encryption broke and "support" by websites for older browsers (which is not supposed to be a thing!) broke, then I was forced to always either boot to BSD or use a newer Windows and the Z70v really only supports up to XP, so I had to start carrying around a newer laptop. This was up to only a few years ago now. The modern stuff just sucks! Those Z70v laptops have really nice LCD panels in them too, for the time. They're 1680x1050, good wide-angle viewing, on a discrete ATI graphics chip with 64MB, with just enough processor oomph to decode my local HD MythTV streams in software (I don't think the X600 ever got hardware decoding support on FreeBSD, at least I never managed to get it to work, but it could JUST do it in software on the CPU, at least on the fastest couple Pentium Ms I have.) Puts the stupid "regular" 1366x768 on so many more "modern" machines to shame...

                        I still have it installed for FTP sites, because it's so much more efficient.

                        Most of the latest browsers don't even support ftp:// anymore, with is SUPER annoying!!

                        The error I got had a whole bunch of debug-style gobblegook. Not the normal complaint at all!

                        Weird. Well, just 89 days to wait and we can probably experiment again. Set your AlarmPhone. ;)

                        • (Score: 2) by Reziac on Tuesday February 06, @07:17AM

                          by Reziac (2489) on Tuesday February 06, @07:17AM (#1343286) Homepage

                          Wasn't even the bloat. NS4 was fundamentally rewritten, and they did something wrong from the ground up. Timed it once and it was ~4x slower than NS3, despite being only a little larger and not really any more functional. I gathered from an exchange with JWZ that the source code for NS3 has been lost.

                          I remember first time I hit some browser that didn't do FTP, and I was like... da fuck?? how is this not a fundamental function??

                          That was a nice laptop! Especially for the era.

                          Yeah, it's getting to where even if you're not gaming, you have to plan upgrades around browser bloat and website bloat, because nothing else wastes such an unghodly amount of resources (have seen Chrome gobble up 40GB), and anymore too many sites insist on a newish browser. This here i7-4xxx with 64GB RAM is plenty slick for anything else I do, but is starting to show its age with what browsers suck out of it.

                          --
                          And there is no Alkibiades to come back and save us from ourselves.
          • (Score: 2) by hendrikboom on Monday February 05, @07:09PM (7 children)

            by hendrikboom (1125) Subscriber Badge on Monday February 05, @07:09PM (#1343187) Homepage Journal

            Gmail has stopped working, at least partially, for me.
            I am unable to send any email from my home server to anyone on gmail.
            It worked last December before Christmas. It has not worked at all in January.
            The messages get refused.
            The only way I can get an email to someone on gmail is to log myself into gmail ans send it from there.
            But I'm not eager to entrust one of the most notorious eavesdroppers on the planet with my email.

            • (Score: 2) by drussell on Monday February 05, @07:20PM (5 children)

              by drussell (2678) on Monday February 05, @07:20PM (#1343191) Journal

              What is the actual text of the error refusing the mail?

              Does the IP address at least have reverse DNS pointing to anything, (even if it's not your domain?)

              • (Score: 2) by hendrikboom on Tuesday February 06, @09:14PM

                by hendrikboom (1125) Subscriber Badge on Tuesday February 06, @09:14PM (#1343374) Homepage Journal

                I'm not at the server at the moment, but I will reply when I am.
                Last I looked, reverse DNS still worked, I will of course look again.
                The domain name in question is topoi.pooq.com.
                The website there is http:, not https:.
                It is extremely rudimentary,
                since it hasn't really been restored yet since my server crash in December.
                Since the site is currently running off a stopgap machine -- a 15-year-old netbook --
                it is slow.

                -- hendrik

              • (Score: 2) by hendrikboom on Wednesday February 07, @02:02AM (3 children)

                by hendrikboom (1125) Subscriber Badge on Wednesday February 07, @02:02AM (#1343435) Homepage Journal

                It seems it's not just gmail. This is a nondelivery report from an automatic message lent to Devuan's popcon service, which as far as I know is unrelated to Google. I get messages like this about three days after sending the message.

                Date: Fri, 2 Feb 2024 15:32:05 -0500 (EST)
                From: Mail Delivery System
                To: root@topoi.pooq.com
                Subject: Undelivered Mail Returned to Sender

                [-- Attachment #1: Notification --]
                [-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]

                This is the mail system at host april.topoi.pooq.com.

                I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

                For further assistance, please send mail to postmaster.

                If you do so, please include this problem report. You can
                delete your own text from the attached returned message.

                                                      The mail system
                : Host or domain name not found. Name service error
                        for name=popcon.devuan.org type=MX: Host not found, try again

                [-- Attachment #2: Delivery report --]
                [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]

                Reporting-MTA: dns; april.topoi.pooq.com
                X-Postfix-Queue-ID: A51DE265
                X-Postfix-Sender: rfc822; root@topoi.pooq.com
                Arrival-Date: Sun, 28 Jan 2024 15:14:35 -0500 (EST)

                Final-Recipient: rfc822; survey@popcon.devuan.org
                Original-Recipient: rfc822;survey@popcon.devuan.org
                Action: failed
                Status: 4.4.3
                Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
                        for name=popcon.devuan.org type=MX: Host not found, try again

                [-- Attachment #3: Undelivered Message --]

                • (Score: 2) by drussell on Wednesday February 07, @09:53AM (2 children)

                  by drussell (2678) on Wednesday February 07, @09:53AM (#1343490) Journal

                  Yeah, you don't even have any MX records in your DNS responses...

                  You need to fix that first, before pretty much anyone's servers will ever exchange mail with you.

                  What's with the pooq.com domain returning nothing? Only the subdomain topoi even has an A record (although, surprisingly, your reverse DNS on the IP does point to april's IP address.)

                  • (Score: 2) by drussell on Wednesday February 07, @10:06AM (1 child)

                    by drussell (2678) on Wednesday February 07, @10:06AM (#1343495) Journal

                    What's with the pooq.com domain returning nothing? Only the subdomain topoi even has an A record (although, surprisingly, your reverse DNS on the IP does point to april's IP address.)

                    Oops, It accidentally hit submit instead of preview... Doh!

                    What's with the pooq.com domain returning nothing? Only the subdomain topoi even has an A record. It's not clear to me why you're even using the subdomain when pooq.com itself points to absolutely nothing. What's your intention there with doing that?

                    Surprisingly, you do have reverse DNS on april's IP address, but it points to the subdomain topoi.pooq.com instead of the machine april.topoi.pooq.com that is actually using the address.

                    • (Score: 2) by hendrikboom on Thursday February 08, @08:22PM

                      by hendrikboom (1125) Subscriber Badge on Thursday February 08, @08:22PM (#1343657) Homepage Journal

                      Thanks. I will investigate. These things *used* to be there.
                      And pooq.com used to have some other subdomains that have been shut down.

                      -- hendrik

            • (Score: 2) by Reziac on Tuesday February 06, @02:32AM

              by Reziac (2489) on Tuesday February 06, @02:32AM (#1343254) Homepage

              GMail's POP3 officially quit a long time ago, but it worked for me for a couple months after the deadline. So if I want to use the nasty thing, I have to log into the site, and they've lately nuked plain HTML interface so now we all have to put up with the "workspace" that takes forever to load (I expect the real reason was so they could forcefeed ads). Really, the only reason I keep it is to log into other Google properties (keep all the snooping circle-jerked).

              --
              And there is no Alkibiades to come back and save us from ourselves.
        • (Score: 2, Insightful) by khallow on Monday February 05, @05:47PM

          by khallow (3766) Subscriber Badge on Monday February 05, @05:47PM (#1343171) Journal

          Like it or not, the current Board IS still responsible for this site, and 2 members of that 3-man Board have worked with some aspects of our infrastructure. They were asked if they were prepared to help, they said 'no'. That was all perfectly normal. You are reading far more into what was written than it actually said.

          I have to agree with sigterm. It's very easy to read that connotation into what was written in the story. Newspapers have to deal with this all the time. For a hypothetical example, don't put a photo of the spelling bee winner next to a story about a child porn ring getting busted. The audience won't always make the faulty connection, but they will often enough that it'll cause problems.

  • (Score: 2) by Opportunist on Monday February 05, @01:35PM (7 children)

    by Opportunist (5545) on Monday February 05, @01:35PM (#1343119)

    How?

    I mean, seriously, how? I use Letsencrypt as well. And yeah, I've ignored expiration mails as well, but then again, the site I'm currently responsible for has like, what, 2 users (can the jokes about "how is this different from here?" please, ok?) and I have a geofencing system in place that pretty much disables the ability to autorenew the cert when it's time.

    You, very obviously, don't. So why isn't that on autorenew? A script that fires off an acme request [letsencrypt.org] that then pushes the cert into the correct place and restarts the proxies (if used) should do.

    That worked for me, at least 'til I had to install the geofencing.

    • (Score: 2) by ElizabethGreene on Monday February 05, @02:56PM (4 children)

      by ElizabethGreene (6748) Subscriber Badge on Monday February 05, @02:56PM (#1343127) Journal

      I assume the automation broke or was a TODO:. The site is run by a tiny number of volunteers that have lives and day jobs. That it works at all is super impressive.

      • (Score: 2) by RS3 on Monday February 05, @03:58PM (3 children)

        by RS3 (6367) on Monday February 05, @03:58PM (#1343144)

        I'm only stating the obvious so that we're all clear: by this very and entire discussion it becomes obvious what the problems are.

        I'll break from the general negativity and insults here and say this site has been and is established and run by some amazing people. Like me, they all have strong opinions on how things should be run- both from a managerial / political / structural standpoint, as well as technical specifics.

        Specific on the cert and automatic renewal situation, this is from my own experience with some sites I admin: there are many ways to get the certs. Better written, there are many different software packages you can use. Recently I went through a moderately thorough evaluation process.

        Some are very complex and have a lot of dependencies, including some things I strongly prefer to not have. They're better suited to huge installations of thousands of centrally-managed server instances.

        There are some mid-level ones that are simpler, but require a poop-ton of config file editing, forcing you to tediously choose things that are irrelevant to a small hosting situation.

        And the reason I know that last statement is true: I found one: 'getssl', that is super simple, needs only a few config settings, and you get your certs. Yay!

        It can do the initial fetch, update, revoke, and a few other functions, all from one command-line command. More or less obviously: can be run by cron every 89 days, for example.

        • (Score: 3, Informative) by owl on Monday February 05, @04:53PM (2 children)

          by owl (15206) on Monday February 05, @04:53PM (#1343155)

          Some are very complex and have a lot of dependencies, including some things I strongly prefer to not have. They're better suited to huge installations of thousands of centrally-managed server instances.

          This one works well (for small sites, never tested for "huge" installs):

          dehydrated [dehydrated.io].

          It is a Bash script, and it's dependencies are items that are part of the basic tool set that is already installed (i.e., sed, grep, mktemp, curl, etc.).

          I use it for the https certs I pull from letsencrypt, it 'just works' (once a llittle configuration is done).

          • (Score: 2) by RS3 on Monday February 05, @05:21PM

            by RS3 (6367) on Monday February 05, @05:21PM (#1343164)

            Thanks, I'll try it. getssl is also a simple bash script. It worked so well compared to everything else I had tried, or just looked at, that I stopped there. dehydrated would have been next on my try list. I'll compare dehydrated and getssl.

          • (Score: 2) by RS3 on Monday February 05, @08:30PM

            by RS3 (6367) on Monday February 05, @08:30PM (#1343203)

            I looked at 'dehydrated' a bit. Looks great, thanks! Very similar to getssl. I'll try it next time I need to get / renew a cert. Thanks again!

    • (Score: 3, Informative) by kolie on Monday February 05, @06:32PM (1 child)

      by kolie (2622) on Monday February 05, @06:32PM (#1343176) Journal

      I solved a lot of this when I set up the site and infra to run from testable, repeatable, automated builds. The offer to convert over the existing site to run on said infra wasn't met with a lot of support ;)

      • (Score: 4, Interesting) by janrinok on Monday February 05, @06:55PM

        by janrinok (52) Subscriber Badge on Monday February 05, @06:55PM (#1343184) Journal

        Is that Docker container available anywhere in a repository? Is it available for use by others for testing software before submitting it? That would certainly be a useful tool to have around and I would be very interested in that. It might also encourage more people to poke the Perl a little bit.

(1) 2