SSL Issues with in Chrome?

(Dom Barnes) #1

Just tried visiting calendar and in Chrome (Version 59.0.3063.4 dev (64-bit)) and am getting an unusual privacy error.

Works fine in Safari. Don’t have anything else to test with currently.

(Daveyon Mayne) #2

v57.0.2987.133 (64-bit) (Mac) Works fine. I see you’re using a dev version so maybe it’s the issue?

(Stuart Langridge) #3

I’m also not seeing errors in v57, although I don’t have v59 around to check…

(Jon) #4

Both Calendar and Talk on Firefox/Ubuntu 52.0.2 (64-bit) are fine here.

(Daniel Hollands) #5

Thanks for reporting this, @dombarnes. I’m on Chrome 57 here, and I’m not seeing the error myself. I can only imagine this has something to do with Chrome becoming more strict on SSL certs.

I think the calendar site is being hosted by @rythie, is there anything we can do about this?

(Dom Barnes) #6

Chrome Dev is just ahead of the game

(Matt Andrews) #7

Yeah, looks like SSL cert here is signed by StartCom. Time to switch to Let’s Encrypt?

(Richard Cunningham) #8

I guess so. I’ve been avoiding on my server, it because I’ve got a dozen domains, mostly with subdomains too. Though it does seem that letsencrypt now supports multiple names, I was avoiding SNI due to lack of support on systems like python.

I heard about the deprecating of new StartSSL certs, but didn’t realise they were doing it for older certs. For this should be easier, though that’s upto @LimeBlast to sort out.

(Matt Andrews) #9

[quote=“rythie, post:8, topic:3246”]
I guess so. I’ve been avoiding on my server, it because I’ve got a dozen domains, mostly with subdomains too.[/quote]

As long as you setup the cron task properly, you can renew as many domains as you like automatically with their client (I have it renewing two of mine on one server right now).

(Daniel Hollands) #10

Hahaha, that’s the theory at least. There are some instructions on updating Discourse with Let’s Encrypt, I’ve just been putting it off :grimacing:

(Dom Barnes) #11

I’m glad I could help force you both to do something you’ve been putting off.
If you have any advice for tidying the dining room I’ve been putting off, we can consider it even!

(Daniel Hollands) #12

You could invite us all over for a nice home-cooked meal, that should give you sufficient motivation.

(Stuart Langridge) #13

The Yumzee people are a Brum-based startup who are getting people to do exactly that as a business model :slight_smile: I believe @DaveDev has tried them; anyone else?

(Dave Evans) #14

Yes - Yumzee is great :grinning:

(Matthew Somerville) #15

Just to note Python 3 supports SNI just fine, and Python 2 also since 2.7.9 (and before then you can install urllib3[secure] or requests[secure]). I use LetsEncrypt at home and work, with a lot of domains, all works well.

(Richard Cunningham) #16

The issue I hit was that Ubuntu 14.04 only ships python 2.7.6 still and if you use someone else’s code, you can’t decide on the library they use. For the planet site I ended up compiling my own Python to get a later version. Whilst I can fix my own server, I can’t fix other people’s. I think this has been handled by both Python and Ubuntu (who should have backported the patch). There were perhaps other ways to solve this better, but didn’t come across them. I haven’t yet had enough time to update my server Ubuntu 16.04, since I know there multiple code bases that need fixing to get that to work.

Though now priorities are different because breaking a small number of older python users (+ andriod 2.x, winXP etc.) is tiny compared to breaking all Chrome users.

(Richard Cunningham) #17

Though of course you don’t need SNI now with letsencrypt, since they support multiple domains (not sure they did at first).

Update: I’ve setup let’s encrypt on my server now (calendar/planet sites and redirect). I had to list all my subdomains which took some time. Then I used the temporary webserver option because I have lots of webroots and some of them don’t really allow adding of a file.

(Daniel Hollands) #18

Chrome on my desktop just updated to version 58, and all of a sudden I was prevented access to the site because of an SSL issue. I wasn’t even able to ignore the warning and continue, as usual, just a total block. Chrome on my laptop (running 57 at the time) was fine, so I figured it must be this issue.

So this, of course, has somewhat forced my hand into moving over to Let’s Encrypt, which I did this morning.

I was a bit worried about doing this because I wasn’t sure what would happen about the previous certs I had installed, and in fact, they did cause an issue at first, but all I needed to do was delete the old certs and rebuild the container.

If anyone notices anything funny about the site, please let me know.

Thank you very much to @rythie for letting us use his certs up until this point :slight_smile:

(Dom Barnes) #19

All good on Chrome 60 too, and Safari Tech Preview R28 :+1:t2::closed_lock_with_key:

(Marc Cooper) #20

Firefox is still moaning: