birmingham.io

SSL Issues with birmingham.io in Chrome?

Just tried visiting calendar and talk.birmingham.io in Chrome (Version 59.0.3063.4 dev (64-bit)) and am getting an unusual privacy error.
See https://www.dropbox.com/s/ee11994fbleikbe/Screenshot%202017-04-10%2016.24.52.png?dl=0

Works fine in Safari. Don’t have anything else to test with currently.

1 Like

v57.0.2987.133 (64-bit) (Mac) Works fine. I see you’re using a dev version so maybe it’s the issue?

I’m also not seeing errors in v57, although I don’t have v59 around to check…

Both Calendar and Talk on Firefox/Ubuntu 52.0.2 (64-bit) are fine here.

1 Like

Thanks for reporting this, @dombarnes. I’m on Chrome 57 here, and I’m not seeing the error myself. I can only imagine this has something to do with Chrome becoming more strict on SSL certs.

I think the calendar site is being hosted by @rythie, is there anything we can do about this?

See https://blog.qualys.com/ssllabs/2017/04/05/ssl-labs-distrusts-wosign-and-startcom-certificates
and https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
Chrome Dev is just ahead of the game

2 Likes

Yeah, looks like SSL cert here is signed by StartCom. Time to switch to Let’s Encrypt?

2 Likes

I guess so. I’ve been avoiding on my server, it because I’ve got a dozen domains, mostly with subdomains too. Though it does seem that letsencrypt now supports multiple names, I was avoiding SNI due to lack of support on systems like python.

I heard about the deprecating of new StartSSL certs, but didn’t realise they were doing it for older certs. For talk.birmingham.io this should be easier, though that’s upto @LimeBlast to sort out.

[quote=“rythie, post:8, topic:3246”]
I guess so. I’ve been avoiding on my server, it because I’ve got a dozen domains, mostly with subdomains too.[/quote]

As long as you setup the cron task properly, you can renew as many domains as you like automatically with their client (I have it renewing two of mine on one server right now).

Hahaha, that’s the theory at least. There are some instructions on updating Discourse with Let’s Encrypt, I’ve just been putting it off :grimacing:

I’m glad I could help force you both to do something you’ve been putting off.
If you have any advice for tidying the dining room I’ve been putting off, we can consider it even!

You could invite us all over for a nice home-cooked meal, that should give you sufficient motivation.

1 Like

The Yumzee people are a Brum-based startup who are getting people to do exactly that as a business model :slight_smile: I believe @DaveDev has tried them; anyone else?

Yes - Yumzee is great :grinning:

Just to note Python 3 supports SNI just fine, and Python 2 also since 2.7.9 (and before then you can install urllib3[secure] or requests[secure]). I use LetsEncrypt at home and work, with a lot of domains, all works well.

The issue I hit was that Ubuntu 14.04 only ships python 2.7.6 still and if you use someone else’s code, you can’t decide on the library they use. For the planet site I ended up compiling my own Python to get a later version. Whilst I can fix my own server, I can’t fix other people’s. I think this has been handled by both Python and Ubuntu (who should have backported the patch). There were perhaps other ways to solve this better, but didn’t come across them. I haven’t yet had enough time to update my server Ubuntu 16.04, since I know there multiple code bases that need fixing to get that to work.

Though now priorities are different because breaking a small number of older python users (+ andriod 2.x, winXP etc.) is tiny compared to breaking all Chrome users.

Though of course you don’t need SNI now with letsencrypt, since they support multiple domains (not sure they did at first).

Update: I’ve setup let’s encrypt on my server now (calendar/planet sites and birmingham.io redirect). I had to list all my subdomains which took some time. Then I used the temporary webserver option because I have lots of webroots and some of them don’t really allow adding of a file.

2 Likes

Chrome on my desktop just updated to version 58, and all of a sudden I was prevented access to the site because of an SSL issue. I wasn’t even able to ignore the warning and continue, as usual, just a total block. Chrome on my laptop (running 57 at the time) was fine, so I figured it must be this issue.

So this, of course, has somewhat forced my hand into moving over to Let’s Encrypt, which I did this morning.

I was a bit worried about doing this because I wasn’t sure what would happen about the previous certs I had installed, and in fact, they did cause an issue at first, but all I needed to do was delete the old certs and rebuild the container.

If anyone notices anything funny about the site, please let me know.

Thank you very much to @rythie for letting us use his certs up until this point :slight_smile:

4 Likes

All good on Chrome 60 too, and Safari Tech Preview R28 :+1:t2::closed_lock_with_key:

1 Like

Firefox is still moaning:

Proudly sponsored by Bytemark