Normally I wouldn't have let this kind of change qualify for my #100Days project, but I was blocked from using any of my indieweb tools, and I feel like there's a good lesson here.
Chrome 57 launched today, and one of the changes was they dropped the StartCom root certificate in that release. Lately I've been using Letsencrypt for all my certificates, but I still have a few certificates from startssl.com, in particular some wildcard certificates. I had been using a wildcard certificate for all my p3k apps on *.p3k.io, as well as for my development certificate that gives me a public URL with real HTTPS certificate that routes the traffic back to my laptop.
As soon as I updated Chrome today, I was suddenly unable to post to my website using Quill, Teacup, or any other apps!
I logged in to startssl.com and they posted this notice in their dashboard:
1. Mozilla and Google decided to distrust all StartCom root certificates as of 21st of October, this situation will have an impact in the upcoming release of Firefox and Chrome in January. Apple's decision announced on Nov 30th of distrusting all StartCom root certificates as of 1st of December will have an impact in their upcoming security update.
2. Any subscribers that paid the validation fee after Oct. 21st can get full refund by request.
3. StartCom will provide an interim solution soon and will replace all the issued certificates with issuance date on or after Oct 21st in case of requested. Meanwhile StartCom is updating all systems and will generate new root CAs as requested by Mozilla to regain the trust in these browsers.
So it looks like I have no path forward right now other than to use a different certificate, until StartCom gets their act together and gets reapproved by the browsers.
So... thus embarked my day of re-issuing all my certificates for my p3k apps using Letsencrypt.
Thankfully, I had already created a pretty good workflow for quickly creating HTTPS certificates using Letsencrypt.
The one thing I added to my nginx setup today was an include file that lets me quickly add the .well-known URL path that Letsencrypt uses for verification to any server block. I added the below text to a file called "/usr/local/nginx/conf/letsencrypt_challenge"
location /.well-known/acme-challenge {
default_type "text/plain";
root /web/sites/letsencrypt;
}
Now when I add the following line inside a server block, this web root will be used to serve the Letsencrypt challenges.
include letsencrypt_challenge;
This makes it super quick to set up new virtual hosts using Letsencrypt.
After running through this process for 8-10 domain names, I now have restored all the p3k apps so they will work with the latest version of Chrome!
