[aprssig] All the SSL APRS-IS servers are down

Heikki Hannikainen hessu at hes.iki.fi
Wed May 25 01:52:20 EDT 2016


On Tue, 24 May 2016, spam8mybrain via aprssig wrote:

> Looks like we have a problem with the SSL-based servers. It seems that their server public key certificates expired last week, and now they
> aren't online any more to even report the certificate expirations like they were yesterday. Is the ARRL still issuing server certificates? 
> Does anyone have a progress report on possibly fixing this?

Hi,

T2FINLAND now has a new cert, and T2HAM & T2USANW will have their new 
certs installed soon.

We have nagios alerts for these servers already, we'll need to configure 
the SSL test which triggers a warning email a month or two before actual 
expiration. Nagios has such a test program available, it just needs to be 
configured, to avoid silly newbie accidents like this. :)

As for letsencrypt.org, I'm aware of it and a good number of T2 folks are 
using it for other purposes.

The T2 SSL certs are issued by a CA of our own, which allows us to embed 
the server ID ("callsign") in the certificate subject in the same format 
as LoTW client certificates have them, and also embed the rotate hostnames 
in the alternative name field. These would not be available with 
letsencrypt.org. We can also automate certificate issuing and renewing 
with a bit of scripting from the sysop portal, reducing manual work from 
everyone.

         Subject: 1.3.6.1.4.1.12348.1.1=T2HAM, CN=amsterdam.aprs2.net

             X509v3 Subject Alternative Name:
                 DNS:rotate.aprs2.net, DNS:euro.aprs2.net


   - Hessu, OH7LZB


More information about the aprssig mailing list