Recent Website Troubles

This forum was briefly giving security warnings about its “certificate”, the technical code it uses to work over “https” rather than “http” and show a secured lock icon in your web browser.

Just a quick note to everyone to say everything’s fine. There’s no security risk to your forum posts or your computers from this.

I thought I had this figured out, so nobody would see an error ever again, but unfortunately it happened. And the reminder I’d set to double check it didn’t help, since I’d forgot to consider time zone differences when deciding which day to remind myself on.

The short version of the story is that in order to stay secure and show the lock icon, the forum needs a certificate. We get the certificate from a project called Let’s Encrypt. However, each certificate expires after a few months, and has to be renewed. That can happen automatically. But the software for doing it has been acting up.

The certificate was coming up again for renewal this month, and I set a reminder ahead of it to try to resolve this issue once and for all.

I think I finally got it. Just for my own notes and fellow nerds:

This forum runs on Digital Ocean. I think I originally set up the “droplet” without ticking the box for IPv6, but then went back and added IPv6 later. But the “netplan” file that helps set up interfaces and routing didn’t have information on the IPv6 interface added, so the site wasn’t actually responding to Web requests or even pings over IPv6. That was causing acme.sh, the program Discourse uses to update Let’s Encrypt certificates, to fail silently with timeouts when Let’s Encrypt would try to download renewal challenges over IPv6.