HTTPS does not work on wo-ist-markt.de

[torfsen]

It seems that https://wo-ist-markt.de does not work.

[dirkschumacher]

How about using something like this? https://timmesserschmidt.com/blog/2016/03/18/lets-encrypt-gh-pages/

[johnjohndoe]

Thanks, looks interesting. We should take a look at it at one of the next meetups.

[torfsen]

Closed, see #20.

[johnjohndoe]

Related commits: bcb8dd479b7db01a2209ebd89a48fa18e97e6a68, d60c4f728fa1c0a886ba28cf1fdf13d8584713e9 Further, DNS setting have been changed to use Kloudsec.

[torfsen]

I'm still having problems with this (as of 50f990a).

First of all, https://www.wo-ist-markt.de (with www) doesn't work for me at all:

www.wo-ist-markt.de uses an invalid security certificate. The certificate is only valid 
for the following names:
www.github.com, *.github.com, github.com, *.github.io, github.io, *.githubusercontent.com,  
githubusercontent.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN 

Secondly, https://wo-ist-markt.de (without www) only works partially for me. It does work without problems in Firefox, but it doesn't work or only with very long response times using Chrome, Opera or wget. It seems that wo-ist-markt.de resolves to two different IPs:

$ nslookup wo-ist-markt.de
Server:     127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
Name:   wo-ist-markt.de
Address: 192.30.252.153
Name:   wo-ist-markt.de
Address: 103.203.90.2

Firefox uses 103.203.90.2 and all the other programs seem to try the first instead. If I try https://103.209.90.2 in these programs then I get another certificate error. Here's the output from Chrome:

This server could not prove that it is 103.203.90.2; its security certificate is
from *.kloudsec.com. This may be caused by a misconfiguration or an attacker
intercepting your connection.

I get similar errors for 103.203.90.2 in Opera and wget.

If I try to load https://192.30.252.153 (the first IP) in Firefox explicitly then I get the same behavior as in the other programs: Connecting takes ages and often doesn't succeed at all.

[johnjohndoe]

I removed the A record for 192.30.252.153 now. Here is the current DNS setup:

Let's see if this helps.

[torfsen]

This seems to have helped, @johnjohndoe: For me https://wo-ist-markt.de now works on Firefox (desktop + mobile), Chrome (desktop + mobile), Opera (desktop) and the Android standard browser.

https://www.wo-ist-markt.de still fails on all of them due to the certificate only being valid for the GitHub domains (see above). I'm not sure whether we need to support the www subdomain but it should either not work at all (neither HTTP nor HTTPS) or fully work. www works with HTTP (http://www.wo-ist-markt.de) and redirects to the HTTPS no-subdomain-version (https://wo-ist-markt.de). Let's Encrypt currently does not issue wildcard certificates and has currently no plans to do so, so we would need a separate certificate for the www subdomain.

[johnjohndoe]

I am fine with leaving it as it is now.

[torfsen]

Is there a way to disable the www subdomain completely? I don't think that we need it, but in its current state (i.e. throwing an error when used with HTTPS) it will confuse people.

[torfsen]

@johnjohndoe: Any thoughts on disabling www completely? Otherwise please close.

[johnjohndoe]

@torfsen I just did not invest time to research how I can configure Kloudsec to let Let's encrypt also serve www with a valid certificate. Please leave the issue open.

[torfsen]

OK, no problem.

[johnjohndoe]

I looks like we have to change the website configuration / deployment once again:

:rotating_light:

From: Steven Goh hello@kloudsec.com Date: Sat, Jul 9, 2016 at 3:12 PM Subject: Kloudsec is shutting down

Hi all,

It is with great sadness that I have to inform you that Kloudsec is shutting down.

Why is Kloudsec shutting down?

1. We have been funding Kloudsec out of our own pocket
2. Kloudsec is very expensive to maintain (upwards to $10000 / month)
3. We are unable to make money from Kloudsec, nor raise any funds for it

We will shut Kloudsec down on 1st August

From now till then, we will not be maintaining the service.

Migrating out of Kloudsec

Migrating out of Kloudsec is extremely simple. All you have to do is to point your domain back at its origin server.

You will lose the HTTPS cert. But you can fix that by

• either issuing your own LetsEncrypt certificate
• or using Cloudflare.

Lessons learnt

From the start, we are extremely lucky to have a small revenue stream that let us to experiment with cool products. And Kloudsec is one of our biggest experiment.

There are a couple of things we did right, and a couple we did wrong.

We did right by having the right team come together, building a seriously sophiscated product. (Thank you Ivan and Bach)

We did wrong by building a sophiscated product that made it hard for a small team to maintain, let alone scale.

We did wrong by building a product that was not immediately useful enough so much so that people will pay for.

We did wrong by building a product that was too expensive to maintain.

We did wrong by assuming that traction solves all ailments. Not in Singapore, you don't. There is no good venture money for real hard-tech software startups in Singapore.

We did right with pulling the plug so we can learn from these mistakes and work on the next product.

What's next for us

From Kloudsec, we identified a few niche problems that we will be looking to solve. In other words, we will continually be building.

And you can be sure from our next product onwards, we will charge right from day 1 so we can sustain the product financially.

Lastly, thank you!

Thank you. Most of you have spoken to me, or read the posts I've written on Github, on Hacker News, or Producthunt about Kloudsec. You guys took a leap of faith in trusting this small unknown team and product, and used us.

I'm sorry to disappoint you with this piece of news, but I'll try better next time.

If you like, you can follow me on Twitter at @nubela. You can also contact me at anytime at steven@nubela.co

Steven Goh.

[k-nut]

As discussed before in person we could just switch to a VM provided by okfn Deutschland. They come with let's encrypt preconfigured now so it should be easy. I wrote a small script in the markt-server repository that automatically deploys each time the build passes on Travis. So we get just the same amount of comfort that we already have. I'll probably have time to configure this on Monday if no one says no.

[johnjohndoe]

As a side note and a quick reminder: from August 1, 2016 we might experience downtimes for the website since Kloudsec is shutting down their service. We already working on a solution.

[torfsen]

The new DNS settings seem to have propagated by now (I'm getting 148.251.185.45), but the certificate is invalid for our domain:

wo-ist-markt.de uses an invalid security certificate.
The certificate is only valid for cologne.codefor.de
Error code: SSL_ERROR_BAD_CERT_DOMAIN 

[k-nut]

I think we need to change some ssl settings on the server that the new VM runs on. I hope that this gets updated later today.

[k-nut]

The change is made. We are back online

[torfsen]

Looks good, great work! :tada:

[johnjohndoe]

Nice. Thank you, @k-nut. I am happily closing this issue. 😍