This has got quite bad at the moment. I haven’t been able to search at all for the last couple of days, which means I can’t use “See unread posts” which is how I usually read the board.
Last time I remember this happening (found it by googling on the website) Dannii said that the server probably needed a restart and that only Merk could do it. Which is another reason to try to take the hosting out of poor Merk’s hands!
I know this is a couple weeks old, but I was able to do a couple searches today without an error. I don’t think Apache has been restarted since around the 10th or 11th when I renewed the certificate, and uptime says the server itself has been up for 500 days, so I rebooted it a few minutes ago just in case.
As for having to downgrade your SSL, I’ll have to see what’s involved to add TLS 1.1 and TLS 1.2. I didn’t realize they weren’t already supported. I tried enabling it just now but couldn’t start Apache because I guess the version of OpenSSL on the server is out of date. The whole server is pretty out of date anyway, so I’ll spend some time seeing if I’m able to upgrade. The Yum utility says there are no updates available, but that’s probably because my version of Linux is no longer supported either.
As for moving to other hosting, I’ve been waiting patiently for something to happen there. It would definitely be better if it was handled by somebody who’s around more. Plus it’s a few out-of-pocket expenses for me that I could avoid – around $12 yearly for the domain, $33 monthly for the server (although I use it for my other sites too), and $70 yearly for the certificate. When it has came up in the past, I think it was just random individuals volunteering to host, not something organized by the moderators and community.
A good way to reach me quickly is on twitter - @vggenerations.
+1 for letsencrypt. The only drawback is that you have to renew the cert every 3 months, which is annoying. But they do remind you.
$33/month for the server sounds a LOT. is there really that much traffic. I’ve been running sites using VPSes for under $5/month. One is even < $3 but that’s in Asia. These deals seem to work fine for websites even ones with reasonable, but probably not heavy traffic. On the other hand, these virtual servers can easily expand capacity for a few dollars more.
I’ve just been too lazy. I originally started paying for it many years ago when I ran my online games. It was great at the time – and current. I needed a dedicated server for what I was doing. Since then, the demands on it have decreased, but I don’t relish the thought of setting up a new server, configuring pop3 and exim and httpd and all that again, getting sendmail working, etc. I just haven’t wanted to touch it.
It’s on CentOS 5.11, which reached end-of-life last year. This morning, I was able to manually install the latest version of OpenSSL (1.1.1), but it looks like the version of Apache (2.2.3) is the latest in the CentOS 5.11 archive repository, and doesn’t support the +TLSv1.1 and +TLSv1.2 flags. Either that, or it’s compiled with a version of mod_ssl that doesn’t.
So at this point, I’d either have to manually install an updated version of Apache, or just get a new box with everything already installed. Thankfully, it at least supports TLS 1.0, although that’s already out for things like PCI-DSS and will probably end up being discontinued in future browsers too…
If we have any Linux experts around, maybe you’ve got some tips/commands for downloading and installing an updated version of Apache. I already messed up the certificate for a while this afternoon, and kind of don’t want to break anything else at this point. Alternatively, I can set aside a weekend to set up a new server.
I second this. I’ve had my own servers hosted at Linode for many years. My only gripe is that they don’t fully support BSD. The short life of Let’sEncrypt keys is not an issue for me. I use GetSSL (github.com/srvrco/getssl.git) and have a cron job run it every day to check all my keys and update if necessary.
I have a couple of servers using Let’s Encrypt. I have a reminder on my calendar to update the certificate every couple of months. It is a simple command line command: update-ca-certificates. I guess I could set up a chron job but it doesn’t take much effort either way.
PS. For security, I have ssh disabled. I just go in through the a port available on linode’s admin panel for simple commands. I only enable the SSH server on rare occasions.
I strongly recommend setting up a cron job when a server uses letsencrypt. Schedule it often enough that a single mysterious network failure won’t lead to expired certs.
You say it doesn’t take much effort to renew by hand, and this is true. But what we know about IF-related sites is that they usually stay up a long time. You don’t know where your attention will be in five, ten, fifteen years.