-
-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
urgent: nitter.net ssl certificate expiry #714
Comments
This isn't the first time this has happened. Is there a reason nitter isn't set up to autorenew certs via letsencrypt? This seems easily solvable. |
Related #712 |
Another alternative: don't bother with LE at all (the automation of renewals is not particularly easy, since certbot sucks and third-party bash scripts/etc. are finicky and bizarre), instead stick your stuff behind Cloudflare. CF then handles the public-facing cert part themselves (called an "Edge Certificate"), and for CF<-->yourserver you're given a cert that expires every 10 years (called an "Origin Server Certificate"). |
Considering Nitter is meant to be a privacy-friendly frontend, I think it'd be counter-intuitive to run it through Cloudflare just for SSL.
Plus setting up Let's Encrypt is very easy, so that's a none-issue really. Especially if one deploys through Docker or Kubernetes since there are containers/charts that handle it automagically. (i.e. https-portal) |
And I think wasting resources on containers (doesn't matter if Docker or k8s) is pretty counter-intuitive for something that should literally be as simple as dynamic DNS updates (for domain ownership validation -- I am not a fan of the challenge-response model since it requires you leave content on your webserver) via either classic 90s ISC I urge anyone "arguing" with me to look deep into how much trash certbot pulls in:
A Docker or k8s container is going to be even fatter, as they always are:
We know none of this is necessary because as I mentioned, there are bash scripts[1][2] that are minimal and accomplish the same thing, just that they have myriads of variables and don't always work well depending on how you have your HTTP server configured (config path layout, service names, etc.). KISS principle should be the de-facto mindset, and I suspect the Nitter folks try keep things simple as well given the nature of the service. Less pieces involved = less things that can fail = less worry + happier users. The end result we're all here for is the same: the cert did not renew for various reasons unbeknownst to all of us, and it is silly that it has happened at all (and apparently happened before). There are varying alternatives (some free, some not free) that solve this overall problem. There will be no further comments for me on this matter. |
Not sure why you have a vendetta against Let's Encrypt. 😆 Tbh I'm more surprised that after saying all that, your conclusion is to use a proprietary third-party service, which itself has gone down multiple times taking almost half the internet with it. I'd argue Cloudflare is much more flaky than using Let's Encrypt, at least when automatic certificate renewal is configured. With automatic renewal configured, the certificate expiring is a non-issue. Even if Let's Encrypt has some downtime, it should still be back up with ample time to for the certificate to renew. Meanwhile, going through Cloudflare means Nitter would go down when Cloudflare does, so it adds another point of failure. Cloudflare does make a genuinely good service, but piping all traffic through it for just SSL seems overkill to me. If you'd rather do that than install 100~ MB worth of software, power to you. I'd just sacrifice the 100~ MB. 👍 I've personally had a very positive experience with Certbot, simple to use, and I'm happy to deal with something a little fatter rather than have constant dependency on a third-party platform. |
nitter.net's cert has expired
The text was updated successfully, but these errors were encountered: