Follow

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

when you see a website that's HTTPS rather than HTTP, it means the connection is secure. most popular browsers will display a green padlock in the URL bar to symbolise that (and colour it yellow or red if something's wrong).

to verify that a connection is secure (and not just someone saying it's secure), you need a certificate, a file that verifies that you are who you say you are.

a certificate can be revoked at any time by anyone. you can deny facebook's certificate if you like, and facebook will stop loading for you. more importantly (and practically), the issuer of the certificate can deny it, and the site will stop working until they get a new one. this means that if facebook "goes rogue", the CA (certificate authority) is allowed to remove their certificate, guaranteeing (in theory) that if the site is HTTPS, it's definitely secure.

these certificates don't last forever. they need to be renewed, to prove that you're still there and still complying with them. gargron had certificate auto-renewal set up, which means the certificate will automatically get renewed when it's close to expiring. so why did the cert expire? why did .social go down? the answer is because while a new certificate was installed, it wasn't actually loaded. nginx, the server software that .social uses, was supposed to automatically load the new cert, but it didn't for some reason (computers are weird!), and thus .social went offline for about an hour.

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

@lynnesbian Well explained!

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

@lynnesbian

Thanks for the info. I know at work we have to select "SSL enabled" when configuring a Customer's Email Account server settings but I had no idea what that setting did.

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

@lynnesbian
Dang. Exactly the same thing happened with the last renewal on my masto server. Certbot did its thing, nginx just... didn't.
Now I'm idly wondering if it's a debian bug.

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

@lynnesbian I have so many horror stories about companies letting their certs expire, or pinning a leaf cert then forgetting about it when they rotate the cert.

It's almost quaint (but no less annoying) when a service/site on a much smaller scale has a problem along these lines.

why did mastodon.social go down? (SSL certificate stuff, long, serious) 

@lynnesbian Also, it'd be real nice if there was actually a robust revocation system as opposed to "I guess we have this list that you can check or not, like whatevs".

Sign in to participate in the conversation
Lynnestodon

@lynnesbian@fedi.lynnesbian.space's anti-chud pro-skub instance for funtimes