Do good, better. CoActivate is a platform for social activism.

  • HTTPS Certificate Errors and Editing Problems Fixed

last modified November 14, 2017 by danielstrypeybruce

What went wrong, and why, and how we fixed it

Firstly, apologies to all CoActivate users for the scary warning messages about HTTPS security certificates that festooned the site over the last couple of weeks. We know it wasn't a good look, but the problems that caused them were a bit tricky to fix (more on that below).

As some of you may have found, the scary warning messages didn't make the site completely unusable. You could still click 'Advanced' and 'Add exception' and so on, and then use the site as normal. For people who just wanted to read a page on CoActivate, this was only an inconvenience. But logging into websites when you see scary warning messages about HTTPS certificates is a bad habit to get into, because one of the reasons websites have HTTPS certificates is to protect you from accidentally logging into fake sites designed to steal your passwords.

So what happened? A little background...

Traditionally, HTTPS certificates cost money, and are valid for a year. If they expire before they get replaced, the result is the kind of scary warning messages you saw recently on CoActivate. Despite the increasingly important role of HTTPS on the web, many of the certificate authorities that issue these annual HTTPS certificates have less than stellar reputations.

In a 2012, people from a number of reputable organisations - including the Electronic Frontier Foundation and the Mozilla Foundation - set out to fix HTTPS, by establishing a new certificate authority called Let's Encrypt. HTTPS certificates from Let's Encrypt only last about three months (90 days), but they are gratis (free-of-charge), and can be renewed automatically by the webserver. This automatic certificate management depends on a piece of software, originally just called 'letsencrypt', but recently renamed 'certbot'.

Some time ago, Ethan set up HTTPS on CoActivate using Let's Encrypt certificates. The problem, according to Ethan, was that:

"... the original server was so old that running letsencrypt on it was a nightmare and involved jumping through all kinds of hoops to get a certificate installed or renewed.  I had done it once or twice to keep the previous certificate valid but it's a very time consuming manual process and I never documented the exact steps I took very well, so when I ran into problems renewing it this time, I realized that the time it would take me to figure out would be better spent finally migrating to Ubuntu 16.04 LTS."

That's right, the CoActivate webserver is now running on the most recent LTS (Long Term Service) release of Ubuntu. This means we have access to more up-to-date versions of software, and we're assured of security updates from the Ubuntu team for years to come. That's the good news. Ethan continues:

"... the only hard part of the migration was getting our ancient forked version of WordPress up and running on the new server; after several hours googling through and resolving all the issues with incompatible server libraries one at a time (starting with the wrong version of PHP) I came very close to having it working, but ran up against one more wall than I had patience for. I then realized that getting an ancient unsupported WordPress and all its associated ancient unsupported dependencies working on ubuntu 16.04 would be sort of an anti-goal, so instead, the blogs are actually now still running on the old server, which I'll resize down to something cheap once we've verified that everything is working correctly."

Plans are afoot to separate out the various moving parts of CoActivate, and put some of the heavier ones in their own servers, or in 'containers' using something like Docker (watch this space). So, even though it wasn't planned, having our blog engine on a separate server is actually an opportunity for forward progress. However, the site did get a little bit discombobulated in the move, and now there are a few others things that need fixing.

One that Ethan is already looking into is the blog search function:

"it seems like the issue is that the html form is pointing at e.g., which triggers a redirect to add a trailing slash, but chops off the query string -- so you end up at without the search query. In the meantime, you can build a search manually in the browser, making sure to have a trailing slash, e.g."

A more significant problem you may also have noticed was that when you tried to create or edit a blog post, or edit a wiki page, the WYSIWYG (What You See Is What You Get) editor was not working. Rest assured that this has been fixed too. Let us know, if your blogs and wikis are not working normally. Please let us know if you notice any other new problems, either through the user's group email list, or if it's urgent;