[aprssig] who forgot to renew aprs-is.net?

Heikki Hannikainen hessu at hes.iki.fi
Fri Feb 11 10:57:01 EST 2022


On Tue, 11 Jan 2022, Pete Loveall AE5PL Lists via aprssig wrote:

> Andrew is correct about this being a browser issue. Aprs-is.net (and a 
> number of other ham-related sites) is hosted on a shared IP address 
> which precludes https as a switch protocol (unless you want to pay $$$ 
> for wildcard certificates covering all domains hosted).

In case you'd eventually like to use https for the other sites:

These days you can get a wildcard certificate for free from Let's Encrypt 
(https://letsencrypt.org/). The combined downside and upside is that LE 
certs are only valid for 3 months, so the renewal needs to be automated to 
happen roughly every 2 months. Luckily there's a bunch of existing, 
maintained scripts to do this. I use Let's Encrypt certs on aprs.fi - not 
a wildcard cert though, but a single cert with a big bunch of different 
names on it (aprs.fi, www.aprs.fi, api.aprs.fi, and all the languages: 
fi.aprs.fi, https://de.aprs.fi/, https://ja.aprs.fi/ ...).

All recent browsers (since about 10 years) also support the SNI TLS 
extension (RFC 3546, RFC 6066). They tell the https server the hostname 
they'd like to talk to in the very beginning of the handshake, so that the 
server can then choose which server certificate to present. Name-based 
virtual hosting on a single IP with TLS and multiple different 
certificates is relatively easy to configure - on Apache or NGINX I just 
give them the different certs for different virtual servers and assign 
them with the same IP, and it works. I see you're using IIS, IIS version 8 
in 2012 added SNI support.

https://en.wikipedia.org/wiki/Server_Name_Indication

   - Hessu




More information about the aprssig mailing list