oops, SSL certs expired.

sunday, august 25th, 2024.

Every now and then, I'll have a look at my website from my phone to make sure things are still A-OK. This morning, I realized my website was down due to invalid SSL certs! Oops.

A deeper dive into my cron logs revealed this cryptic message:

Traceback (most recent call last):
  File "/usr/local/share/porkbun/certbun.py", line 37, in <module>
    f.write(certJSON["intermediatecertificate"])
KeyError: 'intermediatecertificate'

Huh. That didn't make a lot of sense.

Anyway, my first thought was to update the certbun.py script helpfully provided by my domain registrar, porkbun. Went to the script's GitHub site and, lo-and-behold, the certbun.py script is now deprecated.

OK, so what changed to break the script? I added a little extra logging to dump the JSON response that porkbun was sending me. After looking at this response, I realized that the response didn't contain the intermediatecertificate part like it used to.

Poking around my kagi search results, I realized that the OpenBSD httpd server wasn't actually using this intermediate certificate.

So I removed the extra logging from the certbun.py script and commented out the bits responsible for writing the intermediate certificate to a file:

 35     # f = open(apiConfig["intermediateCertLocation"], "w")
 36     # print("Installing " + apiConfig["intermediateCertLocation"])
 37     # f.write(certJSON["intermediatecertificate"])
 38     # f.close()

That seems to have made certbun.py happy:

Updated SSL certs at: Sun Aug 25 07:29:32 EDT 2024
Downloading certs for chotrin.org

Installing /etc/ssl/chotrin.org.fullchain.pem
Installing /etc/ssl/private/chotrin.org.key
Installing /etc/ssl/chotrin.org.public.key.pem

Executing system command:
/usr/sbin/rcctl restart httpd

httpd(ok)

And I'm able to happily browse this website on HTTPS once again.

I don't mean to slight porkbun here for deprecating certbun.py. The reality of things is that the entirety of the Internet is built like a house of cards. Especially HTTPS, despite Let's Encrypt's noble efforts to democratize the ability for tiny website operators like myself to self-sign SSL certificates.

The bigger picture is that technology, writ large, is all but a sand mandala that requires constant upkeep lest it crumble to a pile of "useless" rusty circuitry.

I took this morning's opportunity to go ahead and renew all of my domains for another year, to the tune of $36 and some change. It is a sort of memento mori to pay annual upkeep to keep this house of cards, well, carding. It's gonna fall apart real quick when my time comes— and that's okay, really.

This is one big reason I still journal with physical pen and paper.

Sacre bleu! I promise I'm not this morbid on a typical Sunday morning. 😅

Until next time, be well! :)