Indeed, this has now been resolved by installing the new certificate a bit earlier than we had originally scheduled.
As observed, the problem is that the previous certificate, which was set to expire mid-December, was revoked. Unfortunately this happened during a major US holiday as well. We will talk to the certificate authority to see how this happened, but I suspect the most likely explanation is a mistake made by us while requesting the new certificate.
The revocation was not visible in Chrome or Safari or even most versions of Firefox, but was visible in the newest version of Firefox released last week. Certain automated tooling was also affected.
There was a more complete but brief outage of HTTPS during today's unscheduled update, which was caused by our error during the update process.
To respond to Uwe's suggestion, we do use Let's Encrypt in other settings and generally consider it the best solution, and will likely transition
hdl.handle.net to using it in the future.
All very unfortunate, and we very much apologize for the inconvenience.
Robert
Perfect. Thanks all. It's working again.
Regards,
Hi,
looks like you solved the issue. The new certificate is live. It looks
like it was issued Nov 20th, so Gerhard's guess may be correct.
https://www.ssllabs.com/ssltest/analyze.html?d=hdl.handle.net
Looks like all servers have working certificate. Thanks!
Uwe
Am 27.11.2023 um 19:21 schrieb uschindler@pangaea.de:
> Hi Stanley,
>
> As this problem looks like a more complicated support thing to do: How
> about quickly execute "apt install certbot" and request a letsencrypt
> certiicate until this is solved? I get complaints from many people
> already. Accoring to them the problem started already on lat week
> Friday (only on Firefox).
>
> Actually Chrome works fine at moment, as Chrome longer checks for
> invalidated certificates (the check is too expensive). Firefox still
> does the check, so maybe a new certificate is the only way to go.
>
> Uwe
>
> P.S.: At PANGAEA we changed to letsencrypt long time ago and we are
> also getting wildcard certificates from them. This has proven as
> maintenance-friendly as you do not need to order new ones and certbot
> works fine (unless you have strange firewalls).
>
> Am 27.11.2023 um 19:00 schrieb Stanley Weilnau:
>> Interesting. I was on a chat with GoDaddy, and they stated the cert
>> was good until Dec 14, 2023. I did ask about revocation and they said
>> it was not. Time to chat with them again. Thank you for the
>> information.
>>
>> Stanley Weilnau
>>
>>
>>> On Nov 27, 2023, at 12:35 PM, Gerhard Gonter <ggonter@gmail.com> wrote:
>>>
>>> On Mon, Nov 27, 2023 at 5:36 PM Stanley Weilnau
>>> <sweilnau@cnri.reston.va.us> wrote:
>>>> I am puzzled. I checked with GoDaddy.com about the certificate.
>>>> The checkers they showed me have it still valid. We are working on
>>>> an updated certificate at this time.
>>> The current certificate is only valid until Dec 14 07:06:15 2023 GMT,
>>> so maybe someone ordered a new one and revoked the current one. As
>>> far as I can tell, it shows up in Godaddy's revokation list already:
>>>
>>> <pre>
>>> $ openssl x509 -noout -text -in hdl.handle.net.crt | fgrep crl
>>> URI:http://crl.godaddy.com/gdig2s1-4758.crl
>>> $ openssl x509 -noout -serial -in hdl.handle.net.crt
>>> serial=BAB2A135B54649F2
>>> $ openssl crl -inform DER -text -noout -in gdig2s1-4758.crl | fgrep -A
>>> 4 BAB2A135B54649F2
>>> Serial Number: BAB2A135B54649F2
>>> Revocation Date: Nov 23 03:40:59 2023 GMT
>>> CRL entry extensions:
>>> X509v3 CRL Reason Code:
>>> Superseded
>>> </pre>
>>>
>>> regards, Gerhard Gonter
>> _______________________________________________
>> Handle-Info mailing list
>> Handle-Info@cnri.reston.va.us
>> http://www.handle.net/mailman/listinfo/handle-info
>
--
UWE SCHINDLER
Software Architecture, Apache Lucene, Elasticsearch
PANGAEA - Data Publisher for Earth & Environmental Science
MARUM (UNICOM 2 building) - University of Bremen
Room 4.3060, Mary-Somerville-Straße 2-4, D-28359 Bremen
Tel.: +49 421 218 65595
Fax: +49 421 218 65505
https://www.pangaea.de/
E-mail: uschindler@pangaea.de
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info
--
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info