urgent: nitter.net ssl certificate expiry

[VVelox]

nitter.net's cert has expired

[steveheinsch]

This isn't the first time this has happened. Is there a reason nitter isn't set up to autorenew certs via letsencrypt? This seems easily solvable.

[markcellus]

Related #712

[koitsu]

Another alternative: don't bother with LE at all (the automation of renewals is not particularly easy, since certbot sucks and third-party bash scripts/etc. are finicky and bizarre), instead stick your stuff behind Cloudflare. CF then handles the public-facing cert part themselves (called an "Edge Certificate"), and for CF<-->yourserver you're given a cert that expires every 10 years (called an "Origin Server Certificate").

[SethFalco]

Considering Nitter is meant to be a privacy-friendly frontend, I think it'd be counter-intuitive to run it through Cloudflare just for SSL.

1. Centralization
2. Undermining HTTPS by voluntarily allowing Cloudflare to decrypt/re-encrypt all traffic.

Plus setting up Let's Encrypt is very easy, so that's a none-issue really. Especially if one deploys through Docker or Kubernetes since there are containers/charts that handle it automagically. (i.e. https-portal)

[koitsu]

And I think wasting resources on containers (doesn't matter if Docker or k8s) is pretty counter-intuitive for something that should literally be as simple as dynamic DNS updates (for domain ownership validation -- I am not a fan of the challenge-response model since it requires you leave content on your webserver) via either classic 90s ISC nsupdate or through a simple API call (see: nothing more than curl), followed by a sleep delay (due to DNS caching and TTL on the LE side), followed by another API call (to fetch resulting cert bundle, either in tarball or similar format), followed by untarring/etc. and a systemctl reload {nginx,httpd}.service.

I urge anyone "arguing" with me to look deep into how much trash certbot pulls in:

~/foo $ python3 -m venv venv
~/foo $ source venv/bin/activate
(venv) ~/foo $ du -sk .
7724    .
(venv) ~/foo $ python3 -m pip install certbot
...
(venv) ~/foo $ pipdeptree
certbot==1.31.0
  - acme [required: >=1.31.0, installed: 1.31.0]
    - cryptography [required: >=2.5.0, installed: 38.0.1]
      - cffi [required: >=1.12, installed: 1.15.1]
        - pycparser [required: Any, installed: 2.21]
    - josepy [required: >=1.13.0, installed: 1.13.0]
      - cryptography [required: >=1.5, installed: 38.0.1]
        - cffi [required: >=1.12, installed: 1.15.1]
          - pycparser [required: Any, installed: 2.21]
      - PyOpenSSL [required: >=0.13, installed: 22.1.0]
        - cryptography [required: >=38.0.0,<39, installed: 38.0.1]
          - cffi [required: >=1.12, installed: 1.15.1]
            - pycparser [required: Any, installed: 2.21]
      - setuptools [required: >=1.0, installed: 44.0.0]
    - PyOpenSSL [required: >=17.5.0, installed: 22.1.0]
      - cryptography [required: >=38.0.0,<39, installed: 38.0.1]
        - cffi [required: >=1.12, installed: 1.15.1]
          - pycparser [required: Any, installed: 2.21]
    - pyrfc3339 [required: Any, installed: 1.1]
      - pytz [required: Any, installed: 2022.6]
    - pytz [required: >=2019.3, installed: 2022.6]
    - requests [required: >=2.20.0, installed: 2.28.1]
      - certifi [required: >=2017.4.17, installed: 2022.9.24]
      - charset-normalizer [required: >=2,<3, installed: 2.1.1]
      - idna [required: >=2.5,<4, installed: 3.4]
      - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.12]
    - requests-toolbelt [required: >=0.3.0, installed: 0.10.1]
      - requests [required: >=2.0.1,<3.0.0, installed: 2.28.1]
        - certifi [required: >=2017.4.17, installed: 2022.9.24]
        - charset-normalizer [required: >=2,<3, installed: 2.1.1]
        - idna [required: >=2.5,<4, installed: 3.4]
        - urllib3 [required: >=1.21.1,<1.27, installed: 1.26.12]
    - setuptools [required: >=41.6.0, installed: 44.0.0]
  - ConfigArgParse [required: >=0.9.3, installed: 1.5.3]
  - configobj [required: >=5.0.6, installed: 5.0.6]
    - six [required: Any, installed: 1.16.0]
  - cryptography [required: >=2.5.0, installed: 38.0.1]
    - cffi [required: >=1.12, installed: 1.15.1]
      - pycparser [required: Any, installed: 2.21]
  - distro [required: >=1.0.1, installed: 1.8.0]
  - josepy [required: >=1.13.0, installed: 1.13.0]
    - cryptography [required: >=1.5, installed: 38.0.1]
      - cffi [required: >=1.12, installed: 1.15.1]
        - pycparser [required: Any, installed: 2.21]
    - PyOpenSSL [required: >=0.13, installed: 22.1.0]
      - cryptography [required: >=38.0.0,<39, installed: 38.0.1]
        - cffi [required: >=1.12, installed: 1.15.1]
          - pycparser [required: Any, installed: 2.21]
    - setuptools [required: >=1.0, installed: 44.0.0]
  - parsedatetime [required: >=2.4, installed: 2.6]
  - pyrfc3339 [required: Any, installed: 1.1]
    - pytz [required: Any, installed: 2022.6]
  - pytz [required: >=2019.3, installed: 2022.6]
  - setuptools [required: >=41.6.0, installed: 44.0.0]
  - zope.component [required: Any, installed: 5.0.1]
    - setuptools [required: Any, installed: 44.0.0]
    - zope.event [required: Any, installed: 4.5.0]
      - setuptools [required: Any, installed: 44.0.0]
    - zope.hookable [required: >=4.2.0, installed: 5.2]
      - setuptools [required: Any, installed: 44.0.0]
    - zope.interface [required: >=5.3.0a1, installed: 5.5.0]
      - setuptools [required: Any, installed: 44.0.0]
  - zope.interface [required: Any, installed: 5.5.0]
    - setuptools [required: Any, installed: 44.0.0]
pip==20.0.2
pkg-resources==0.0.0
(venv) ~/foo $ du -sk .
37748   .

A Docker or k8s container is going to be even fatter, as they always are:

$ docker pull certbot/certbot
Using default tag: latest
latest: Pulling from certbot/certbot
...
$ docker images certbot/certbot
REPOSITORY        TAG       IMAGE ID       CREATED       SIZE
certbot/certbot   latest    768f54f8cf61   4 weeks ago   111MB

We know none of this is necessary because as I mentioned, there are bash scripts[1][2] that are minimal and accomplish the same thing, just that they have myriads of variables and don't always work well depending on how you have your HTTP server configured (config path layout, service names, etc.).

KISS principle should be the de-facto mindset, and I suspect the Nitter folks try keep things simple as well given the nature of the service. Less pieces involved = less things that can fail = less worry + happier users.

The end result we're all here for is the same: the cert did not renew for various reasons unbeknownst to all of us, and it is silly that it has happened at all (and apparently happened before). There are varying alternatives (some free, some not free) that solve this overall problem. There will be no further comments for me on this matter.

[SethFalco]

Not sure why you have a vendetta against Let's Encrypt. 😆
All you've done is post an arbitrarily inflated message, overcomplicated a reasonably simple process.

Tbh I'm more surprised that after saying all that, your conclusion is to use a proprietary third-party service, which itself has gone down multiple times taking almost half the internet with it. I'd argue Cloudflare is much more flaky than using Let's Encrypt, at least when automatic certificate renewal is configured.

With automatic renewal configured, the certificate expiring is a non-issue. Even if Let's Encrypt has some downtime, it should still be back up with ample time to for the certificate to renew. Meanwhile, going through Cloudflare means Nitter would go down when Cloudflare does, so it adds another point of failure.

Cloudflare does make a genuinely good service, but piping all traffic through it for just SSL seems overkill to me. If you'd rather do that than install 100~ MB worth of software, power to you. I'd just sacrifice the 100~ MB. 👍

I've personally had a very positive experience with Certbot, simple to use, and I'm happy to deal with something a little fatter rather than have constant dependency on a third-party platform.