ptpb.pw SSL certificate has expired

[sudokode]

Hi, it's me again. Must be that time of the year :)

https://ptpb.pw

[buhman]

@silverp1 😢

[buhman]

Yeah, I recall jpettit adding TLS support to the original deployment a day or two after registration; makes sense that both expiries would happen at the same time (un)coincidentally.

[buhman]

There's confusion about who should actually do the renewal and how. Historically, we've signed all of the things via StartCom--however, this is no longer valid/reputable registrar due to WoSignGate. Hopefully we can sort this soon™.

---

The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.

I think that's a pretty casual bankruptcy-causing sentence.

[slashbeast]

You can go with Let's Encrypt. It's free and there's a lot of clients, if you do not like the default one, like 'acme-tiny' for example. Just cron it to get you new cert on bi-monthly basis (they're valid for three months) and you can forgot about it.

[buhman]

Just cron it

I like the general idea of automating this, but not the cron part. Maybe I can consume some amazon dogfood to accomplish the same thing, only without running cron somewhere…

[slashbeast]

What's wrong in scheduled tasks in general or cron in particular?

You should've a configuration management there anyway (puppet, salt, ansible, Rex, ...) so it's kind of one-time effort. The acme client just needs to poke the Let's Encrypt API, be able to provide it a special file over http in //.well-known/acme-challenge/ and be able to write a SSL cert. You can interface it in many ways, does not need to be running as root (and in my opinion, shouldn't be)

Deploying it really depends on how your infrastructure looks like, if you use AWS ELB, you will need then to use the EC2 APi and update the cert, or actually put it on every webapp VM you have there (depends on how you configured all of it),

Anyhow, define the problem and I will provide you a solution. :)

[buhman]

https://ptpb.pw has a new certificate now.

[polyzen]

An error occurred during a connection to ptpb.pw. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE