https://pair.com are working on this, and at least one machine now has a certificate for ads.perlmonks.org, but not the wildcard certs for perlmonks.{com,net.org}, so there still is work to be done.

Thanks for the update. I'm pleased to report that as of now the cert on www.perlmonks.org is up to date.

I have a cert reminder tool which throws an early warning when a cert reaches a few days before expiry so will add www.perlmonks.org to the list and post here if it gets close again in subsequent years.

---

🦛

Yeah, I wrote something like that yesterday too ( at https://github.com/Corion/App-certificate-expiry, not yet on CPAN ) and have it running as a cronjob too.

Also hopefully before the new certificate expires (October 2024), Pair will allow upload custom Let's Encrypt certificates so we can manage them ourselves, or Pair can manage them for all the subdomains.

Also, it seems Chrome pushes everyone to move to HTTPS, making it hard for users to access HTTP pages. What they are trying to protect, I have no idea.

Just in case the monastery masons weren't aware...

[https://blogs.perl.org/users/nerdvana/2021/11/ssl-is-easy-with-traefik.html]

AFAIK do the local admins first need to get the attention of support from pair.com which is hosting us for free.

And since this is a goodwill thing they don't really have much of a service level.

FWIW: http://perlmonks.org without certificate still works. It's Chrome and family which do the redirection, so you can switch to another browser like FF.

At least on my desktop chrome stops complaining after I confirmed once to show the site anyway.

Mobile chrome is annoyingly insistent though and requires constant confirmations.

see also SO how-to-stop-an-automatic-redirect-from-http-to-https-in-chrome

Cheers Rolf
_{(addicted to the 𐍀𐌴𐍂𐌻 Programming Language :)
Wikisyntax for the Monastery}

And Let's Encrypt certificates can be automatically renewed, even if the server's IP address is changing, via an API key, which can be scripted in GoDaddy.com and likely can also be done for the registrar for perlmonks.

Blessings,

~Polyglot~

I maintain about 8 or 9 websites. All of them are HTTP only. I do not notice any drop in the number of visitors or losing position in Google searches. For example, I have a personal website. If I type in my full name, my personal site is #2 in the search results in Google even though it's an HTTP site. If I type in a book title that one of the organizations is selling on the HTTP site, it is #3 in the Google search. (They're also selling the books on Amazon, and the first two search results point to Amazon.) One of the websites gets about 500-1000 visitors per month. It is #2 on Google search. Their FB page is #1. So, I don't believe the hype. Yes, they put pressure on HTTP sites trying to get them to convert to HTTPS, but not all sites should have to convert.

Btw I wouldn't mind if PerlMonks went back to use HTTP only.

You might not mind. I, OTOH, would mind that my credentials would go in the clear every time I logged in.

At last check, passwords are still being stored in plain text here which is how they're able to send it to you if you forget it. Anyone worth worrying about would target the PM backend and leak all the passwords again not target individuals with mitm attacks.

If this posts twice, it's because Chrome is making me submit everything a second time after verifying I still know the certificate is expired.

That's why I - and IMHO everyone else should - use an automatically generated password here.

Whenever I forget it or need it for another browser I just check my emails searching for lanx and vroom.

Your email account becomes your last line of defense ...

update

But most sites which allow resetting your password ultimately rely on the security of your email account.

Cheers Rolf
_{(addicted to the 𐍀𐌴𐍂𐌻 Programming Language :)
Wikisyntax for the Monastery}

Is there anyone actually looking at fixing the SSL issue? Pair networks is still hosting the site, correct? Do we have any ability to get a new cert rotated in?

I, uh, poked them and this will be resolved soon.

Yes ... it's a real PITFA :-(

yes, well said.

The certificate was valid until 17 September 2023. Now this might be a rogue site I am writing this on.

Cheers, Sören

Créateur des bugs mobiles - let loose once, run everywhere.
(hooked on the Perl Programming language)

Just realised that it appears to have taken out both last hour of cb and http://pthbb.org/cb/last.cgi (and probably others too). That's rather annoying.

---

🦛

I can't get my password resend to me, too.

But the problem could be on my side.

Cheers Rolf
_{(addicted to the 𐍀𐌴𐍂𐌻 Programming Language :)
Wikisyntax for the Monastery}