šŸ’¾ Archived View for gmi.bacardi55.io ā€ŗ gemlog ā€ŗ 2022 ā€ŗ 02 ā€ŗ 07 ā€ŗ gemserv-update captured on 2024-07-08 at 23:39:48. Gemini links have been rewritten to link to archived content

View Raw

More Information

ā¬…ļø Previous capture (2023-01-29)

-=-=-=-=-=-=-

Fixing TLS issue with gemserv update

Posted on 2022-02-07

(PSA: If you see new certificate for houston and tinylogs aggregator, it is normal, I had to update them.)

Last week, AcidusĀ¹ shared on his gemlog that a serious vulnerability was found in a gemini serverĀ²:

I stumbled on a serious security vulnerability in a widely used gemini server.

Using gemserv myself, a "widely" used gemini server, I knew there was a high chance I would have to update quickly gemserv in the next few days. Or at least be prepared to it in case I was right.

A few days ago, he confirmedĀ³ it was indeed a bug in gemserv that was now patched, thanks to 80hā“.

On Friday I decided to patch both servers I run. One of them at home is hosting this capsule (and my feed capsule), the other hosted in "the cloud" for houstonāµ and the tinylogs aggregatorā¶.

Weirdly, the 2 servers update weren't the same. While my home server update ran smoothly and my capsule was back on line in few minute, the update of the other one failedā€¦

The error I got was:

General(ā€œThe server certificate is not valid for the given nameā€)

Not sure what is was and unable to fix it right away (because work :)), I let it down at this point (what I thought would be until the end of day when I had more time to look at it). I was thinking it was better to leave it off than having an unsecure server.

But for some reason, I couldn't fix this issue, even by generating new tls certificate.

Then I thought about the differences between my home server certificate and the cloud one.

On my home server, I reused the tls certificate created by gmnisrv (before I migrated to gemserv) instead of creating a new one (to avoid warnings for visitors). Whereas the houston and tinylogs certificate were created manually with openssl command line.

Turn out I must have been doing something wrong because I couldn't generate working certificate (even though they worked before).

As it was already late tonight before I could work on this, I tried to find a tool to generate tls for me instead of reading the full manual. I should read and learn, but I wanted to put back online the two capsules so went for the easiest way.

Turns out that our beloved solderpunkā· himself created a very easy to use tool to generate certificatesāø.

I just downloaded the script and ran it to generate 2 new tls certificate. These certificates were finally accepted by gemserv and everything was back online :).

I need to find some time to understand what his script did to enrich my understanding of tls though!

The TLDR; to fix it (you need golangā¹ installed):

# Download gemcert:
git clone https://tildegit.org/solderpunk/gemcert.git && cd gemcert
# Generate certificate:
go run main.go --server --domain tinylogs.gmi.bacardi55.io
# Copy the certificate to the right place depending on your gemserv configuration.

Noticed also tonight that GustafĀ¹ā° had the same issue and was thinking about giving up his capsuleĀ¹Ā¹, so I hope this helps him (and others) too :)

(I couldn't find any contact page to reach out to Gustaf so I'm hoping he will read this via Antenna or Cosmos :)).

1: Acidus' capsule

2: First announcement by Acidus

3: Second annoucement by Acidus

4: 80h's capsule

5: Houston capsule

6: Tinylog aggregator

7: Solderpunk, creator of the gemini protocol

8: Solderpunk tls certificate generator (HTTPS)

9: Golang programming language (HTTPS)

10: Gustaf's capsule

11: Gustaf post about the same gemserv issue

/gemlog/

Send me a gemini mention

send me an email!