DIS: (Attn omd) mailman.agoranomic.org HTTPS certificate error
On Tue, 4 Jun 2019 at 06:06, omd wrote: > Sorry about this! Despite the "Attn omd" in the subject, my eyes saw > the "DIS:" and jumped over the rest; I was putting off reading Agora > list messages so I didn't see it until now. (Even though you also > added me directly as a recipient, Gmail only shows a single message, > and it includes the DIS: prefix even though I imagine the copy you > sent directly didn't have it.) I've been manually adding prefixes like "DIS:" since ais523 pointed out this fixes trouble with DMARC. (I removed it from this email though.) I'm not sure if it's an issue for my email provider, but I figure I might as well. [0] https://mailman.agoranomic.org/cgi-bin/mailman/private/agora-discussion/2019-May/053863.html
Re: DIS: (Attn omd) mailman.agoranomic.org HTTPS certificate error
On Thu, May 30, 2019 at 6:54 PM James Cook wrote: > When I try to load https://mailman.agoranomic.org/, I see a certificate error: Sorry about this! Despite the "Attn omd" in the subject, my eyes saw the "DIS:" and jumped over the rest; I was putting off reading Agora list messages so I didn't see it until now. (Even though you also added me directly as a recipient, Gmail only shows a single message, and it includes the DIS: prefix even though I imagine the copy you sent directly didn't have it.) In fact, I already fixed the issue but was too lazy to make an announcement about it. Sorry about the outage. Why it failed: I've long had a cron job set to try to renew the cert monthly; the Let's Encrypt certificate period is three months, so I guess this time it just happened to fail three times in a row. (Looking at the logs, at least the most recent failure was a 500 error on Let's Encrypt's end.) That simplistic schedule was inherited from when I was using acme-tiny. At some point I switched to certbot, but I kept the cron job the same and used --force-renewal to mimic the old behavior. Now I've fixed it to just run certbot daily, but using the (default) option that only tries to renew the cert if it's expiring in less than 30 days. That way it won't constantly be renewing, but still has ~30 chances to succeed before the cert expires, making it unlikely to let a cert expire due to random failures.
Re: DIS: (Attn omd) mailman.agoranomic.org HTTPS certificate error
Protip: cron has built-in email forwarding - you can add `MAILTO="c.ome...@gmail.com"` at the start of your crontab to get it to send you anything that gets printed to stderr. (I feel your pain. At least one of my domain names goes down every three months like clockwork.) -twg ‐‐‐ Original Message ‐‐‐ On Friday, May 31, 2019 1:54 AM, James Cook wrote: > When I try to load https://mailman.agoranomic.org/, I see a certificate error: > > "Firefox detected an issue and did not continue to > mailman.agoranomic.org. The website is either misconfigured or your > computer clock is set to the wrong time." > > Firefox won't even let me override the warning: > > "mailman.agoranomic.org has a security policy called HTTP Strict > Transport Security (HSTS), which means that Firefox can only connect > to it securely. You can’t add an exception to visit this site." > > though Chrome is more flexible. > > If it's not easy to update the certificate, perhaps HSTS should be > disabled since https technically isn't working (and Firefox is taking > that seriously)?
DIS: (Attn omd) mailman.agoranomic.org HTTPS certificate error
When I try to load https://mailman.agoranomic.org/, I see a certificate error: "Firefox detected an issue and did not continue to mailman.agoranomic.org. The website is either misconfigured or your computer clock is set to the wrong time." Firefox won't even let me override the warning: "mailman.agoranomic.org has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site." though Chrome is more flexible. If it's not easy to update the certificate, perhaps HSTS should be disabled since https technically isn't working (and Firefox is taking that seriously)?
