š¾ Archived View for gmi.bacardi55.io āŗ gemlog āŗ 2022 āŗ 02 āŗ 07 āŗ gemserv-update captured on 2022-03-01 at 15:01:33. Gemini links have been rewritten to link to archived content
ā”ļø Next capture (2023-01-29)
-=-=-=-=-=-=-
Posted on 2022-02-07
(PSA: If you see new certificate for houston and tinylogs aggregator, it is normal, I had to update them.)
Last week, AcidusĀ¹ shared on his gemlog that a serious vulnerability was found in a gemini serverĀ²:
I stumbled on a serious security vulnerability in a widely used gemini server.
Using gemserv myself, a "widely" used gemini server, I knew there was a high chance I would have to update quickly gemserv in the next few days. Or at least be prepared to it in case I was right.
A few days ago, he confirmedĀ³ it was indeed a bug in gemserv that was now patched, thanks to 80hā“.
On Friday I decided to patch both servers I run. One of them at home is hosting this capsule (and my feed capsule), the other hosted in "the cloud" for houstonāµ and the tinylogs aggregatorā¶.
Weirdly, the 2 servers update weren't the same. While my home server update ran smoothly and my capsule was back on line in few minute, the update of the other one failedā¦
The error I got was:
General(āThe server certificate is not valid for the given nameā)
Not sure what is was and unable to fix it right away (because work :)), I let it down at this point (what I thought would be until the end of day when I had more time to look at it). I was thinking it was better to leave it off than having an unsecure server.
But for some reason, I couldn't fix this issue, even by generating new tls certificate.
Then I thought about the differences between my home server certificate and the cloud one.
On my home server, I reused the tls certificate created by gmnisrv (before I migrated to gemserv) instead of creating a new one (to avoid warnings for visitors). Whereas the houston and tinylogs certificate were created manually with openssl command line.
Turn out I must have been doing something wrong because I couldn't generate working certificate (even though they worked before).
As it was already late tonight before I could work on this, I tried to find a tool to generate tls for me instead of reading the full manual. I should read and learn, but I wanted to put back online the two capsules so went for the easiest way.
Turns out that our beloved solderpunkā· himself created a very easy to use tool to generate certificatesāø.
I just downloaded the script and ran it to generate 2 new tls certificate. These certificates were finally accepted by gemserv and everything was back online :).
I need to find some time to understand what his script did to enrich my understanding of tls though!
The TLDR; to fix it (you need golangā¹ installed):
# Download gemcert: git clone https://tildegit.org/solderpunk/gemcert.git && cd gemcert # Generate certificate: go run main.go --server --domain tinylogs.gmi.bacardi55.io # Copy the certificate to the right place depending on your gemserv configuration.
Noticed also tonight that GustafĀ¹ā° had the same issue and was thinking about giving up his capsuleĀ¹Ā¹, so I hope this helps him (and others) too :)
(I couldn't find any contact page to reach out to Gustaf so I'm hoping he will read this via Antenna or Cosmos :)).
2: First announcement by Acidus
3: Second annoucement by Acidus
7: Solderpunk, creator of the gemini protocol
8: Solderpunk tls certificate generator (HTTPS)
9: Golang programming language (HTTPS)