71
votes
Tilde is kill?
SEC_ERROR_EXPIRED_CERTIFICATE
@Deimos did you forget that Let's Encrypt stopped emailing expiration reminders?
SEC_ERROR_EXPIRED_CERTIFICATE
@Deimos did you forget that Let's Encrypt stopped emailing expiration reminders?
I didn't forget, but I did manage to set my own reminder for the wrong date.
Why no certbot cronjob?
Is there a way to do that without needing to store DNS credentials on the server? I'm probably being overly paranoid, but doing that worries me and I'd really prefer to keep them separated.
You don't need DNS credentials on the server. I'm guessing you're used to the DNS-01 challenge type. There are other challenge types available. Using HTTP-01 should work well for you. You can write a shell script with certbot's
--manualflag to put the challenge token somewhere for your Python server to read. Or you could give certbot a web root and configure nginx to route there for the specific magic path.Http challenge does the job just fine. Can be a little annoying if you want a wildcard.
Yes! Assuming the gitlab code is up to date it would be easy enough to stick certbot with http-01 behind the nginx instance and run on a timer. I'd be happy to take this on if it was wanted.
You’ll need to change the requested domains. Currently tildes’ certificate has a couple of wildcard domains. You’ll want to figure out the full list of subdomains we use and list them in the request to LE.
Thanks for the hint. I had a 30 second glance at the ansible playbooks before bed. I'll have a real look on the weekend.
EDIT: https://gitlab.com/tildes/tildes/-/issues/833
Don’t forget tild.es and its subdomains
AWS Route53 allows for IAM policy that matches the name the user is allowed to write using conditional policy. I set it to
_acme-challenge.*+ type TXTPolicy document
What I do with DNS challenge is run cert renewal scripts via cron on a different machine, and then rsync the certs over to the webservers
Which date?
Accidentally set it in September instead of August.
When I was a lad, I used to give the wrong date for my own August birthday all the time. August was meant to be the 9th month of the year. Did make it difficult to recover my Nickelodeon account one time though.
where were you when tilde dies
“tilde is kill”
“no”
i was at house sleeping with blåhaj when phone ring
That explains why I had to press proceed anyway
Librewolf nor Chromium would let me do that.
Yeah, Firefox would not let me proceed either (no exception option and no "continue"), specifically due to HSTS, I believe, the spec of which I think directly specifies not allowing to get around it (from what I've read). Of course that only goes as far as browser vendors' choices to implement it
Which, in reality, is a good thing, because connecting to the site in the expired state could represent a security situation more dangerous than the mundane "expired cert" so it was protecting me.
I could have ultimately found a way around if it felt absolutely necessary, but figured it was just worth waiting.
You may be able to get a “Accept the risk and continue” button to appear by blindly typing “thisisunsafe” into the page.
No way, that's such a developer thing to add
Usually I do, but this time two different browsers did not offer that.
What browser let you proceed anyway?
Most will. It’s just intentionally hard to do, since 99% of the time, it’s a good idea initially to proceed. So most people won’t even realize they can continue. I know Safari makes you click on a harder to see text link instead of a button.
For anyone who did manage to somehow connect to tildes during the time the certificate was expired (even though HSTS was enabled and the
secureoption is set totruein the cookie) while logged in, consider logging out and back in order to reset your authentication cookie.Yeah, cert's expired
Oh god it's back. Phew. Yeah my browsers weren't letting me bypass the security notice. And I didn't feel like going deep into browser settings to allow me to do so.
Oddly I had the option on iOS Safari, but clicking the "proceed anyway" didn't do anything.
Oddly I get a domain parking page if I try and visit from my UK ISP.
If I fire up the vpn, I can access normally. Strange.
Would you mind sharing a screenshot of the parking page, and maybe the Page Source of it too? I'm genuinely curious to see it, and figure out why that's happening... because it shouldn't be. You also might not be the only person experiencing that either, since someone commented on /r/tildes last night about encountering the same problem ~6 hours after the cert was updated.
I also saw some kind of domain parking page for a while yesterday.
I was getting the namecheap parking page for a bit last night (~6:30pm MT). I hadn't thought to check my phone's VPN, but I think I was on a US node. The whois record was showing expired and renewed, I assumed it was a gap propagation.
Yeah, that's what I assume too... but the comment from last night was 6 hours after the cert was updated so there should have been more than enough time for it to fully propagate, and trim's comment above is a full day later. So I'm just a bit worried that something else might be causing the issue.
Had the same issue just a moment ago, parking page. Invalidated the cache, still had it, eventually navigated to docs.tildes.net and that seemed to allow me to access the rest of the site.
At least we know it's not that the UK government wants to force Deimos to verify UK users' ID cards before they create or continue using their account... yet.
That's honestly what went through my mind, that I'd just been geoblocked. Wouldn't surprise me if that happened. It is surely a risk to be allowing UK serfs access to this site, with it's person to person interactions and the UK's deliberately vague wishy-washy open to interpretation definition of "harms", without robust and meaningful personal information theft. Er. Validation.
Hmmm... weird. I wonder what would cause that to fix the issue for you. Maybe your ISP's DNS record for the docs.tildes.net subdomain got updated before the primary tildes.net domain record? :/ In any case, if anyone else messages me still having the issue connecting to tildes, I will also suggest they try going to docs.tildes to solve it too. Thanks.
cc: @Deimos, just so you're aware that there are potentially still some people having issues accessing Tildes after the cert renewal.
I am still somewhat perplexed why a certificate expiry would cause domain parking. Did the domain also expire at the same time?
I'm not entirely sure either, TBH, but I don't think it was the expiry itself that did it. When it was simply expired, people should have just gotten an expired cert warning in their browser like a bunch of other users in this topic reported encountering. However, namecheap may temporarily default to their parking page when a DNS record has been updated on their end, but a user's DNS resolver is still using the old record.
Yeah I was getting standard ssl cert expiry errors at first, I think it was only after that was resolved maybe that the DNS went sus. Can just leave my vpn on until it works through.
Browsing the standard web with a vpn on though, is horrid in the extreme, I frequently get trapped in CAPTCHA loops on sites where I never see them before :(
That depends entirely on the VPN. I pay for 2 dedicated, residential IP addresses (1xUK, 1xUS) with my VPN and never have any issues. ;) But yeah, browsing using public or shared IP pool VPNs is a bit of a PITA because of that.
Okay here's the page source , I get this on my desktop browser , though it doesn't show any actual content
I get this page when I look on my phone
https://ibb.co/Jjp8HvS6
Hope that encoded script thing has no PII in it. Can't fathom how to decode that, it's not base64
Maybe run nslookup tildes.net as well from a command prompt.
This:
nslookup tildes.net
Non-authoritative answer:
tildes.net canonical name = 77980.bodis.com.
Name: 77980.bodis.com
Address: 199.59.243.228
Whereas on vpn I get
Non-authoritative answer:
Name: tildes.net
Address: 54.39.49.122
Ah, okay thanks. It's just the standard Namecheap parking page. I was worried it was an ISP injected parking page or something else entirely. If you try changing your DNS settings to Cloudflare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8, 8.8.4.4) does that resolve the issue? I suspect it will given activating your VPN fixes it too. So it's probably just that your ISP has very slow DNS record propagation. :/
I’ll try that. I wanted to point out that Three Cheers on iPhone doesn’t work either
My self hosted vps vpn in Finland doesn’t work either, but Mullvad to Switzerland fixes it
If you're desperate to get Three Cheers working again more quickly, you can change your DNS in iOS; Settings -> Wifi -> click (i) next to your router name -> Configure DNS -> Manual -> Add 1.1.1.1 and 1.0.0.1 or whichever you prefer.
That won't help you when using cellular data though, unfortunately, since AFAIK you can't manually change the cellular DNS resolver in iOS Settings. But you can download the 1.1.1.1 app or any other similar app (e.g. NextDNS, DNS Override, etc), which should override both your wifi and cellular data DNS. They're way more convenient than manually changing the DNS as well, since it usually just takes a single click in the app to enable/disable them.
Who needs the s in https anyway, right? /s
Edit: From the linked Let’s Encrypt article,
Knowing nothing about the topic, I’m assuming 1 subdomain = 1 certificate? Or are there more specific requirements/scenarios?
You can create wildcards one level deep. So a cert can work for *.tildes.net, but not ..tildes.net.