[aprssig] All the SSL APRS-IS servers are down
Heikki Hannikainen
hessu at hes.iki.fi
Wed May 25 01:52:20 EDT 2016
On Tue, 24 May 2016, spam8mybrain via aprssig wrote:
> Looks like we have a problem with the SSL-based servers. It seems that their server public key certificates expired last week, and now they
> aren't online any more to even report the certificate expirations like they were yesterday. Is the ARRL still issuing server certificates?
> Does anyone have a progress report on possibly fixing this?
Hi,
T2FINLAND now has a new cert, and T2HAM & T2USANW will have their new
certs installed soon.
We have nagios alerts for these servers already, we'll need to configure
the SSL test which triggers a warning email a month or two before actual
expiration. Nagios has such a test program available, it just needs to be
configured, to avoid silly newbie accidents like this. :)
As for letsencrypt.org, I'm aware of it and a good number of T2 folks are
using it for other purposes.
The T2 SSL certs are issued by a CA of our own, which allows us to embed
the server ID ("callsign") in the certificate subject in the same format
as LoTW client certificates have them, and also embed the rotate hostnames
in the alternative name field. These would not be available with
letsencrypt.org. We can also automate certificate issuing and renewing
with a bit of scripting from the sysop portal, reducing manual work from
everyone.
Subject: 1.3.6.1.4.1.12348.1.1=T2HAM, CN=amsterdam.aprs2.net
X509v3 Subject Alternative Name:
DNS:rotate.aprs2.net, DNS:euro.aprs2.net
- Hessu, OH7LZB
More information about the aprssig
mailing list