Things I learned last night…

Topic

New Reply

The servers are propagating our new SSL certificate. Those of you who got bumped because of a bad cert will soon be able to hop on board. I hope. Here
[See the full post at: Things I learned last night…]

11 users thanked author for this post.

Steve, geekdom, Pepsiboy, Noel Carboni, Elly, ch100, deuce120, Laptop Boy, bjm, satrow

Reply | Quote

Replies

It’s been picked up here already, no hard refresh required

Correction: It appears I was mistaken, recent checks show that the new Cert. isn’t yet in place.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Certs are a manual install, easier if you are on IIS/windows server. you need a reminder  4 weeks ahead of time to generate and submit your request to cert provider, then install BERFORE it expires as browser shun any bad Certs.

Dan

Twinntech

3 users thanked author for this post.

mcbsys, HiFlyer, Microfix

Reply | Quote

Well, it looks like the two weeks are up! #201654

Microfix wrote:

Heads-up Note: in two weeks the site certificate would have expired (14th July 2018)

Windows - commercial by definition and now function...

1 user thanked author for this post.

HiFlyer

Reply | Quote

Yep. I thought the cert would auto renew.

Wrong.

2 users thanked author for this post.

Elly, ch100

Reply | Quote

Time flies Woody, did the devs do it previously?

Windows - commercial by definition and now function...

Reply | Quote

Yep, and I have different devs now….

2 users thanked author for this post.

Elly, Microfix

Reply | Quote

Just got this on Firefox in DE.

“www.askwoody.com uses an invalid security certificate. The certificate expired on 15 July, 2018, 00:48:35. The current time is July 15, 2018, 9:49 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE”

Confirmed exception and here I am.

1 user thanked author for this post.

WildBill

Reply | Quote

Still getting Certificate errors, tried rebooting my system, then logging out, then back in again. Still getting Certificate Expired 7-14-2018, see attached screen snip from Chrome.

1 user thanked author for this post.

WildBill

Reply | Quote

It can take up to 24 hours for the servers to update. Patience is a virtue.

5 users thanked author for this post.

HiFlyer, Elly, Geo, WildBill, Microfix

Reply | Quote

Thanks, PK. Am still getting the warning & still have to turn the exception on.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

for now, just resetting computer date to july 13 to get here

Reply | Quote

That’s one way. I found, much to my surprise, that it only takes a couple of clicks with Edge, to add AskWoody to the exceptions list.

Reply | Quote

It’s hard to be too critical of browser configurability that makes a computer do what YOU want, not what someone else thinks is best for you.

In a way it’s good this happened because it will make people think. “More security is better” is sometimes not as cut and dried as it might seem.

This situation is a good example of where it’s legitimate to proceed ahead with a site connection even with an expired certificate being presented. Internet Explorer posts a warning, but then you can visit the site if you make the specific choice to do so.

What I think we DON’T want is to be put out of business by a mistake + a ubiquitous browser policy that simply doesn’t give people any option to visit your site with an “insecure” certificate. Some – most? – browsers are doing just that.

This situation is a data point that needs to go into decisions about whether one should make a website accessible via https only.

-Noel

2 users thanked author for this post.

Cybertooth, anita.yk

Reply | Quote

anonymous wrote:

for now, just resetting computer date to july 13 to get here

Adding an exception to ONE website is, to me, an accepted method in order to temporarily access this website until the certificate is renewed, as it ONLY affects this (trusted) website.

Changing the date, however, can and most probably will, lead to unexpected OS/ Security/ Browser and extension behavior leading to further problems should you forget to change it back and surf elsewhere.

I certainly would not recommend changing the date.

Windows - commercial by definition and now function...

2 users thanked author for this post.

GoneToPlaid, Noel Carboni

Reply | Quote

I certainly would not recommend changing the date.

I agree!

Among other problems, software licensing subsystems may detect it and consider you to be doing underhanded things. In real terms, software you pay dearly for may stop working and when you contact customer service you may find they’re not willing to grant you a replacement activation.

-Noel

1 user thanked author for this post.

Microfix

Reply | Quote

FYI, FF still refuses to connect. Chromium warns but does let me connect if I override. I’ll keep trying FF.

Reply | Quote

Just connected by clicking on the Advanced button and daring to click on the Allow Woody to Have His Say button.

Heckuva 14th birthday present, huh?

 

Reply | Quote

@ebrke yeah FF quantum still works, add an exception, as per link; Next page select (bottom left) either one time exception or full time an your good to go.

Reply | Quote

There’s a workaround for Firefox and derivatives.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Chrome still blocks you as of 6:15 PM CDT Sunday July 15th.

Hope Google and Microsoft change their attitude real soon. You, Woody, do not deserve this “disrespect”.

Reply | Quote

It’s not Google or Microsoft. The SSL Certificate expired. It has been renewed, but it may take up to 24 hours for the servers to replicate it.

3 users thanked author for this post.

Elly, ch100, woody

Reply | Quote

ebrke wrote:

FYI, FF still refuses to connect. Chromium warns but does let me connect if I override. I’ll keep trying FF.

What version of Fx?

On Fx, only sites that use Strict Transport (HSTS) do not allow for exceptions and that is not Fx’s choice.  It’s the Strict Transport protocol and occurs on all browsers.  But Woody’s site is not using Strict Transport so there should be an exception button on the Fx window that you can click to override and come here anyway.  If you have an exception button is it grayed out?  If so, then you likely have some profile corruption.  Do you have another profile to try?

Reply | Quote

But Woody’s site is not using Strict Transport so there should be an exception button on the Fx window that you can click to override and come here anyway.

Sure looks like Strict Transport (HSTS) to me and Firefox Quantum will not allow an exception.

Reply | Quote

I’m having the same problem. With Edge, it only takes a couple of clicks.

Reply | Quote

woody wrote:

I’m having the same problem. With Edge, it only takes a couple of clicks.

Super browser, eh?

Reply | Quote

I used the following to get past HSTS stuff on Firefox.

 

https://support.mozilla.org/en-US/questions/1159143

 

2 users thanked author for this post.

Ascaris, woody

Reply | Quote

See also Ascaris’ nicely written up post here:
https://www.askwoody.com/forums/topic/askwoody-turns-14-years-old/#post-203649

-Noel

1 user thanked author for this post.

Ascaris

Reply | Quote

While we wait for the renewed certificate to take effect, unless there is some new information, continued posting about the expired certificate isn’t overly helpful.

And remember the Lounge Rules on repetition – we’d love to hear any new information that hasn’t been posted already, but repetitive posts may well be removed.

We look forward to this certificate problem being resolved shortly.

3 users thanked author for this post.

HiFlyer, Elly, Microfix

Reply | Quote

Different browser give different symptoms. Avira misses the target totally:

Your clock is behind
A private connection to www.askwoody.com can’t be established because your computer’s date and time (Monday, July 16, 2018 at 4:25:02 PM) are incorrect.

NET::ERR_CERT_DATE_INVALID

To establish a secure connection, your clock needs to be set correctly. This is because the certificates that websites use to identify themselves are only valid for specific periods of time. Since your device’s clock is incorrect, Vivaldi cannot verify these certificates.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Still doesn’t look good. AFAIK if cert is applied correctly it’s presented immediately, no “propagation delay” is needed. So please review your SSL config. This provides some useful info: https://www.ssllabs.com/ssltest/analyze.html?d=www.askwoody.com

Reply | Quote

Still not Working for me in the UK. I can understand a propagation delay for DNS changes – as that relies on 3rd party servers having updated – but surely the SSL Cert is installed on the AskWoody server direct – so it is either updated or it is not. I thought the point of an SSL Cert was that it is a self contained security validiation – that doesn’t rely on a 3rd party servers – or I am mistaken?

Reply | Quote

“Buy a cert” ?? What about LetsEncrypt?

Surely AskWoody doesn’t buy into the idea that a paid cert is a superior cert?

1 user thanked author for this post.

Microfix

Reply | Quote

Letsencrypt link: https://letsencrypt.org/

There, FTFY

Windows - commercial by definition and now function...

Reply | Quote

How quickly does that service work if there’s an emergency (like, say, a missed recertification date)?

-Noel

Reply | Quote

Less than a second. It’s fully automated.
CPanel or ACME client requests a cert.
LetsEncrypt says ok, put this file on a temporary page of your website to prove you are that website.
CPanel or ACME client puts the file on the temp page.
LetsEncrypt looks at the temporary page, sees the file, issues a cert.
CPanel or ACME client installs the cert where it belongs and deletes the temporary page.

This is all done at the speed of computers…(really really really fast).

Reply | Quote

LE is set up to automate the DV certificates. You set it up once and that’s pretty much it. When configured properly, the certs are renewed every ~2 months, automatically. Plus, no need to waste money on DV certs in the first place.

Reply | Quote

DougCuk wrote:

Still not Working for me in the UK. 

Can’t add exception to Firefox, so using blue moon for now.

Any idea when it’ll be available in the UK?

Dell Inspiron 16 Plus 7640 Core Ultra 7 155H 32GB Win 11 Pro 23H2 (22631.5189)
Dell Inspiron 15 7580 i7 16GB Win 11 pro 24H2 (26100.3775),
Microsoft 365 Version 2504 (18730.20122)
Location: UK

Reply | Quote

Certification may seem to be out of the 1960s because, well, certifying someone is actually who they say they are and that they’re legitimately in need of doing secure business online actually does need to be a methodical and careful operation in the real world.

While it’s a shame it takes some time, I’m glad the certification authorities take their jobs seriously.

(my experience is with code-signing certificates)

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

Ha! Woody clearly has been hanging out for too long with Microsoft!

Btw. my tablet chrome just requires a click on “Advanced” and then a click on “Back in security” to open the site.
On IE11 I just click on “Continue to website (not recommended)” to open… The address line turns blood-red and showing Cert error, but still.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Me too. Finally went around Chrome’s warning through the advanced tab. Glad to see the site – it’s been several days.

Reply | Quote

Question:  In ff advanced, is it ok to check Permanently allow the site, or should I just allow it for each session and leave it unchecked?

Reply | Quote

Permanent is OK. You can always trust AskWoody!

I stand corrected. Allow the exception for the session only.

2 users thanked author for this post.

Geo, Elly

Reply | Quote

This is not sound advice. You shouldn’t’ ever permanently trust a cert (unless it’s for local testing purposes).

You want to know when someone in intercepting the connection.

1 user thanked author for this post.

Geo

Reply | Quote

On a side of caution, I wouldn’t permanently allow an expired SSL Certification or any other for that matter.

I just use the exemption for the AskWoody session, then remove it when leaving the site.

Windows - commercial by definition and now function...

1 user thanked author for this post.

Geo

Reply | Quote

The certificate expired on Saturday, July 14, 2018, 5:48:35 PM. The current time is July 16, 2018, 12:39 PM.

Still have to turn on the exception in Firefox. Maybe it’s fixed by later this afternoon… or this evening. My times are CDT.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Priceless:

“Bash isn’t all that hard to pick up. Made me feel like I was working with DOS 3.21 again.”

Worse, actually.  Unix keyboard interface, editors, shells, and admin tools have always been so primitive that I’ve never surmounted the learning curve.  It’s why I’ve always been a TOPS-10 / TOPS-20 / VMS / CP/M / DOS / Windoze ™ kinda guy.  Even IBM JCL is surmountable.  

Reply | Quote

Maybe, except things like grep and sed that work with regular expressions are pretty powerful once you get down and geeky and can take advantage of the complexity.

For what it’s worth, I have the Gnu Win32 Toolkit, so I use regular expressions all the time in CMD windows.

P.S., I have a background with DEC systems too. I even had a DCL workalike once that ran on Windows. I think it was called VCL. THAT was pretty cool.

-Noel

1 user thanked author for this post.

Tem

Reply | Quote

I can’t figure out if you are bragging or I’m just happy to virtually know someone with your experience. Brings back memories though.

Thanks for being you Noel.

Reply | Quote

I don’t find Unix tools to be primitive, just deeply user-hostile. Or perhaps Lovecraftian: If you’re a Deep One, with long Berkley-style hair or a neckbeard to hide your gill slits, then Unix is simpatico. But as a mortal human who cut his teeth on VMS, and did DOS on PCs before going on to Windows, I have to make a SAN check every time I deal with Unix.

Reply | Quote

As of 4:10PM CST:

Cert Path:

GlobalSign seems to be valid, as does Alpha SSL, but askwoody.com is not.

Also, it looks like GlobalSign changed thier certificate policy on the 15th. Coincidence? Or did they foul up?

GlobalSign Certificate Policy (CP) Current version – v5.8 – June 15th 2018   Previous version – v5.7 – April 3rd 2018

Edit ti remove HTML

Reply | Quote

Thanks, this may have an effect on certificate renewal and one thing I have just noticed is:

Example:

HiFlyer wrote:

Just got this on Firefox in DE. “www.askwoody.com uses an invalid security certificate. The certificate expired on 15 July, 2018, 00:48:35. The current time is July 15, 2018, 9:49 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE” Confirmed exception and here I am.

My Boldiing

The original certificate was due to expire on Saturday, July 14, 2018 6:48 PM.

So could these changes have actually expired the renewed certificate which is why we aren’t seeing anything resolved?

Are we chasing shadows? double trouble..

 

Windows - commercial by definition and now function...

Reply | Quote

Microfix wrote:

The certificate expired on 15 July, 2018, 00:48:35. …

The original certificate was due to expire on Saturday, July 14, 2018 6:48 PM.

I suspect the differences noted in the certificate expiry might relate to different timezone it has been reported from.

Reply | Quote

Yup, the answer was in my own post, timezones..

Windows - commercial by definition and now function...

Reply | Quote

Umm… it’s now just over 2 days since the trouble started and my preferred browser – Firefox Quantum – still won’t let me connect.

Sorry but… surely the whole point of not lowering defences is to not lower defences, no matter how much you want to?

Much love to AskWoody… but just get it sorted out?

(Posted from another browser, which I dislike… but that’s not the point.)

Reply | Quote

@rick_corbett did you try this (link below)?
https://www.askwoody.com/forums/topic/things-i-learned-last-night/#post-203747
after clicking exceptions see the bottom left box select for permanent stored exception or unselected for a one time only, as it says (not near a Quantum browser right now) although its a pain having to select each time. @Woody and the MVPS are on it right now so I am sure its a temp. thing.

Reply | Quote

BobbyB wrote:

@rick_corbett did you try this (link below)? https://www.askwoody.com/forums/topic/things-i-learned-last-night/#post-203747 after clicking exceptions see the bottom left box select for permanent stored exception or unselected for a one time only, as it says (not near a Quantum browser right now) although its a pain having to select each time. @woody and the MVPS are on it right now so I am sure its a temp. thing.

Many thanks but your email link resulted in an error in Firefox Quantum (my preferred browser). I’ll leave it a day or two…

Reply | Quote

Mozilla has been restricting user choice for way too long Rick, they still haven’t ‘got’ why their market share has plummeted and continue to make bad decisions.

2 users thanked author for this post.

mindwarp, Cybertooth

Reply | Quote

Not sure what the issue is with folks unable to set an exception in Firefox, but I am using Firefox 61.0.1 (64bit) and it allows me to set an exception and pick between permanent (checked by default) or for a single use (unchecked). I only do the single use scenario, and only on a trusted site.

Reply | Quote

@ satrow

Selling SSL or https certificates is big business. Maybe both Mozilla and Google have their hands in this money till = fully blocking websites with expired certificates = more profit

Reply | Quote

It’s gone to skeleton crew here. Has site visitation dropped?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

saw your tweet yesterday about chrome not working. can kinda sorta confirm. chrome in it’s normal mode will not load the site but chrome in incognito mode will access the site fine!

Reply | Quote

Norton continues to prevent connection as of a few minutes ago with IE 11, but was able to connect with Firefox 61.0.1.

Reply | Quote

In regards to the expired certificate showing up when logging in and or browsing your site on Chrome.

I have read the posts not to keep posting about this issue or it may get bumped off.

The reason i have posted about it is that i know little about this side of things. apart from Https  is a extension of the Hypertext transfer protocol for secure communication over a computer network and is encrypted using TLS ( Transport Layer Security ).

I gather that you would have to renew it from your end so that it shows Secure/Https ??? and that we will have to wait until this is propagated and or reset.

I gather this will all be automatic on our end when re-done and will once again show Secure ???

As i am in Australia and today’s date being 18/07/18 it is still showing Not Secure.

I have managed to get to the site and disabled the security warning and blocked the notification from appearing every time so to access the Ask Woody Site so not to have to jump hurdles to get there.

What i get in my address bar is a Red Triangle with a asterix in it followed by in red Not Secure with the Https lined out in red and then the rest of the address being in black ://www.askwoody.com/forums/topic/things-i-learned-last-night/

I sometimes find it hard to explain issues after suffering a couple strokes in the past so a little help and clarification is highly appreciated.

On another note i am not sure whether to use the Visual or Text format when posting on your site as on a previous post of mine in regards to favourite tools ( CCleaner ) there was a tag added to the bottom stating something about editing and formatting when one adds a link source or capture.

I have posted this using the Text Tab.

Congrats on 14 years of operation of this site.

A great source for information and help for everyone from so many so thanks to all who take the time out doing this.

Reply | Quote

Kaspersky blocking this site when used with any browser. Also Outlook RSS will not connect.

Bet you are having fun. Think this is Microsoft’s way of thanking you for all the advice you provide?

3 users thanked author for this post.

HiFlyer, Frank n St31n, Mele20

Reply | Quote

Using the Midori browser in Private Browsing mode on LM 17.3, I can directly access askwoody.com. There is also no warning about expired SSL/https certificate.

Reply | Quote

Before posting any more certificate issues, kindly read this post from @Kirsty AskWoody MVP,

#203776

Thanks in advance for your co-operation.

Windows - commercial by definition and now function...

1 user thanked author for this post.

SteveTree

Reply | Quote

? says:

hi microfix,

i use your AKB30000003 every time i set up a new firefox, thank you for posting that. i still can’t get into woody through the front door.

is line,  2) Type: security.tls.version.max set to 3 still correct or is it now 4? (tls 1.3)

https://www.ghacks.net/2018/06/27/firefox-61-fix-secure-connection-failed/

thank you

 

Reply | Quote

Yes, it should be 4 for FF 61>, I’ll amend this in the AKB. For now, you need to use the side-door to access askwoody until the certificate issue is sorted.

Windows - commercial by definition and now function...

Reply | Quote

? says:

thanks! i prefer using the back door along with the “blue” mushrooms from PK’s basement

Reply | Quote

Hmm…I think that Woody needs to use the automated WordPress tool to inject the new certificate into the entire web site, since the entire web site is built on WordPress. The tool also checks for and tries to automatically resolve any other issues which are found during the process.

Reply | Quote

Question on : Things i have learned last night.
At one point i had selected the check box that states :
Notify me of follow up replies via email so to follow this thread.

As i am getting too many i have De-Selected this setting it but it seems that every time that i log back in or shut down and re-boot the computer the Check Box once again is selected automatically.

How do i prevent this from happening ???

I do not wish anymore emails on this subject / thread as there are way to many.

Reply | Quote

You can click on you user name. After you do so and after you see the newly presented web page, click on Subscriptions. Under Subscriptions, you can then uncheck the forum topics for which you wish to unsubscribe (no more email updates for that forum topic).

1 user thanked author for this post.

Frank n St31n

Reply | Quote

Once the proper cert is installed there is no propagation delay – the site will be fixed.  I know certs are confusing and difficult the first (and maybe second) time you have to deal with them, but it’s now been 4 days….  GoDaddy’s certs are insanely expensive, but their SSL helpdesk is extremely knowledgeable and available 24×7.  Let’s Encrypt certs are free and difficult to wrap your head around, especially for someone with no cert experience; but once they’re set up correctly you’re done. LE certs are valid for 90 days and will renew automagically every 60 days – if the renewal fails for any reason LE will start emailing you to inform you that there’s a problem with the cert renewal and you have weeks to fix it.

 

Reply | Quote

Yay! Up and running in FF 61.0.1, 7:05 PM MDT

Reply | Quote