FORUM DISRUPTION: Server Upgrade

[amspire]

2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.

Interesting service. It is not much of a problem for this forum, but such a service sounds like the perfect way for the NSA or other 3 letter agencies to get private SSL keys.

LetsEncrypt went through a long period of public security auditing before they offered their service, so it is one of the more secure SSL solutions. It is done properly.

There are many hosting companies that support LetsEncrypt, and they will automatically renew every 3 months - so all you have to do is request a free SSL cert in the CPanel, and you have a certificate that will automatically renew for as long as you want.

Most CPanel hosts now let you enter your own key, so I have 3 LetsEncrypt certs I generate every 3 months (single batch file to update all three), and then I manually add the new keys to tye Cpanels.

For companies, I have always just got a commercial one - RapidSSL is something like A$12 a year if you buy from the right reseller.

Digicert is used by the likes of Facebook, so it is not a bad choice for companies.

[gnif]

2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.

Interesting service. It is not much of a problem for this forum, but such a service sounds like the perfect way for the NSA or other 3 letter agencies to get private SSL keys.

LetsEncrypt went through a long period of public security auditing before they offered their service, so it is one of the more secure SSL solutions. It is done properly.

There are many hosting companies that support LetsEncrypt, and they will automatically renew every 3 months - so all you have to do is request a free SSL cert in the CPanel, and you have a certificate that will automatically renew for as long as you want.

Most CPanel hosts now let you enter your own key, so I have 3 LetsEncrypt certs I generate every 3 months (single batch file to update all three), and then I manually add the new keys to tye Cpanels.

For companies, I have always just got a commercial one - RapidSSL is something like A$12 a year if you buy from the right reseller.

Digicert is used by the likes of Facebook, so it is not a bad choice for companies.

cPanel is not an option here for the renewal process, this server while runs cPanel is not using it for hosting, it's too slow. This is not an issue though as I can setup some custom scripts to handle the renewal.

[EEVblog]

For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?

[gnif]

For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?

About 1/2 hour, nothing huge.

[EEVblog]

About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.

[gnif]

About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.

Great, I will later today. In the CF configuration you just tell it to use "Strict" mode, then it enforces the SSL cert your server produces is valid.

[EEVblog]

About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.

Great, I will later today. In the CF configuration you just tell it to use "Strict" mode, then it enforces the SSL cert your server produces is valid.

Great, thanks.
Should start a new thread for this to report issues and discuss. Many nerds may rejoice.

[amspire]

For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?

The 3 month expiry is a great idea. If someone hacks your site and gets the keys to your commercial 2+ year SSL certificate, they can pretend to be you. You can revoke the certificate, but it is up to the browsers to check to see if certificates are revoked or not. As far as I know, Chrome does not actually check for revoked certs. They have their own system that can accept some revoked certificates.

[rrinker]

 I'm pretty sure Chrome blocks if the cert is revoked just like other browsers. Just had a customer attempt to replace their SHA-1 certs with SHA-256 and didn't realize that once he requests the existing cert to be re-keyed it revokes the old version of it, and attempting to access the site using this cert with Chrome resulted in a revocation error until it was replaced. Prior to rekeying, the error in Chrome was the one that since it was SHA-1 it wasn't actually secure.

[jippie]

Seems the forum is no longer sending HTTP_REFERER, which broke my dynamic avatar 

Stopped working probably somewhere between:
31/Mar/2017:13:03:04 +0200
and
31/Mar/2017:14:24:58 +0200

[amspire]

I'm pretty sure Chrome blocks if the cert is revoked just like other browsers. Just had a customer attempt to replace their SHA-1 certs with SHA-256 and didn't realize that once he requests the existing cert to be re-keyed it revokes the old version of it, and attempting to access the site using this cert with Chrome resulted in a revocation error until it was replaced. Prior to rekeying, the error in Chrome was the one that since it was SHA-1 it wasn't actually secure.

Last I heard, Google had decided not to let browsers check if a cert was revoked, but instead Google runs its own in-house tracking of revoked certs, and somehow Chrome uses this Google service. They did have an optional setting to re-enable revoke cert checking in Chrome, but that seems to have disappeared. This solution often works but not all the time. Google's cert database may be much faster, but it is not necessarily comprehensive or up-to-date.

If Google has gone back to allowing Chrome to directly check for revoked certs, it would be interesting to know.

[EEVblog]

Big jump in the number of forum sessions:

[cw360]

Big jump in the number of forum sessions:

Wow. This new traffic from somewhere? Google? I know they like SSLs.....

What do the source reports say?

If it's direct/eevblog.com there might be a self refer issue in the analytics.


Sent from my iPhone using Tapatalk

[tautech]

Big jump in the number of forum sessions:

There's been some crazy #'s viewing GK's thread:
https://www.eevblog.com/forum/projects/oscilloscope-pong-for-1-or-2-players/

[gnif]

What is the date of the jump?
What is the cycle of the peaks/troughs in the new session level? Weekly?
What is the old/new session length on average?

Like i've said before I'm no network expert but is there a session reuse or maybe it is called persistent sessions. Has that changed?

This coincides with fixing the 502 errors, I suspect CF has been serving tons of cached requests to try to work around the issue, we saw this jump before we turned on SSL.

[dimkasta]

I have letsencrypt on a couple of small sites for testing. I have no issues with it yet. Through cpanel, or using Laravel's homestead/forge.
You might want to check Taylor Otwell's scripts if you don't want to write them yourself. I think they are available with homestead.
Also, keep an eye on their newsletter. They recently changed their services, and caused disruption on certificate updates for many sites that did not update their scripts in time.

About cloudflare, keep an eye on your webmaster tools too. you might have to fiddle with seo settings or sitemap creation.
Google deindexed all images when we switched to https on one of our sites (without any obvious seo problems)

[tautech]

Short period of forum outages that lasted only a minute or two @~12.20 NZ time.
522 error.

[dimkasta]

Same here

[gnif]

Short period of forum outages that lasted only a minute or two @~12.20 NZ time.
522 error.

Thanks,

522 is a CloudFlare error, it is when CF can not establish a connection to the server, there has been no server faults or reported network outages on our end, I would guess that there was a temporary down route somewhere between CF and the server.

[tautech]

Gotta say how good the forum's been lately....just brilliant. 

Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

[gnif]

Gotta say how good the forum's been lately....just brilliant. 

Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

Thanks mate, I am glad to hear it

[tautech]

Gotta say how good the forum's been lately....just brilliant. 

Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

Thanks mate, I am glad to hear it

Thought I'd mention it as we all have a bitch quick enough when things aren't going right but we're often a bit slow to commend your efforts after all is well. Been meaning to say something for a few days but you know how it gets sometimes..............

[EEVblog]

Gotta say how good the forum's been lately....just brilliant. 
Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

I originally did put my hand in my pocket, but then full credit to HostGator who really came to the party and are now offering me the improved server for like half what I was paying before 
And yes, as always a huge thanks to gnif who spends a lot of time tweaking and maintaing the server for free 

BTW, I did get a 502 yesterday for like 30 seconds.

[gnif]

Gotta say how good the forum's been lately....just brilliant. 
Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

I originally did put my hand in my pocket, but then full credit to HostGator who really came to the party and are now offering me the improved server for like half what I was paying before 
And yes, as always a huge thanks to gnif who spends a lot of time tweaking and maintaing the server for free 

BTW, I did get a 502 yesterday for like 30 seconds.

No problem mate, do you recall roughly what time it occurred at?

[EEVblog]

Gotta say how good the forum's been lately....just brilliant. 
Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks. 

I originally did put my hand in my pocket, but then full credit to HostGator who really came to the party and are now offering me the improved server for like half what I was paying before 
And yes, as always a huge thanks to gnif who spends a lot of time tweaking and maintaing the server for free 

BTW, I did get a 502 yesterday for like 30 seconds.

No problem mate, do you recall roughly what time it occurred at?

Yesterday afternoon some time.