Fixed - website Security Error

This is a technical but simplified explanation of why the website was recently reporting security errors in some browsers. In short, it had an out-of-date SSL certificate. To find out what that is and why it mattters, read on.

For most of the life of the Internet websites were reached using the bare http protocol. The process to load a web page went like this:

  1. You typed in a site name, e.g. www.birchanger.com (or clicked on a link containing that address)
  2. Your browser used the Domain Name System (DNS) to look up the address of www.birchanger.com and turn it into an Internet address that looks something like 46.101.29.68
  3. Your browser sent your page request to that address
  4. The webserver returned the page.

There's a lot, security-wise, wrong here. First, all communication is entirely unencrypted, and anybody snooping on your web traffic could read and alter it. Secondly you have no way of being certain that the site you're connected to is who it claims to be. In other words if you thought you were using, say, www.bigbank.com, you might have been talking to an imposter and anyone could see exactly what you're doing.

These problems are (to a large extent) cured by the use of site SSL certificates. These are small pieces of text that use crypography to secure your data from eavesdroppers and to confirm that the site is who it says it is. If a web page is using a certificate then there will be some indication when you load it, for instance a padlock displayed. Also, the address will start with https:// instead of http://.

Not all website certificates are equal. Some require the person requesting the certificate to pass extensive verification tests before the certificate is issued. For example the owners of Bigbank will need to prove with some certainty that they are the legitimate owners of the domain name bigbank.com. Birchanger.com does not need such rigorous checks. For us all we need to prove before being granted a certificate is that we are in control of the birchanger.com domain, and in particular that we can manage its listing in the Domain Name System.

Until recently you needed to buy certificates from a certificate authority such as Verisign, Symantec, Thawte or the cheaper and more friendly Godaddy. Certificates lasted for at least a year, and sometimes several years. And it was common for site admins (especially on Government sites) to forget to renew them. I remember walking into the school I was network manager one September to find that email was dead. Yes, it was an expired certificate. I was new, so blamed my predecessor.

Things have got much easier now, at least for small sites with simple needs. The Internet industry wants to eliminate all websites without certificates. An example of this policy in action is that the latest version of Chrome, being released about now, will give security warnings for any plain http:// site you try to connect to. To further this goal an organisation called Letsencrypt was formed with the aim of providing certificates for the masses. It's free and fully automated, but differs from the traditional certficate providers in that letsencrypt certificates last for just 90 days. But that's OK, as you can configure your site to automatically renew long before the 90 days are up.

Birchanger.com uses Letsencrypt, so what went wrong? Well, there isn't usually a one to one link between computers and websites. Birchanger uses a computer named birchanger-lamp-01. On that server are the websites www.birchanger.com, webmail.birchanger.com and archive.birchanger.com. There was also, briefly, a site called surveys.birchanger.com on which I installed some software that enables surveys to be conducted.

Multiple sites can be protected with a single certificate. I had one configured that was protecting all four of the sites listed above. This worked for months, then the autorenew process failed. The issue was the surveys.birchanger.com site. I had moved the survey software to another computer and changed the DNS entry so that requests for surveys.birchanger.com were routed to the new computer. When the certificate autorenew bot ran it checked that I was still in control of the four websites. Three passed, but surveys.birchanger.com failed as it was now hosted elsewhere and I hadn't set up the new DNS entry in a way that kept Letsencrypt happy. As all four sites were protected by the single certificate letsencrypt refused the renewal request. Quite rightly.

I've now deleted surveys.birchanger.com from the certificate, and it's renewed successfully. It will be OK from now on, and I've learned a lesson. And there was a bonus: I thought I'd set up www.birchanger.com so that any request to the insecure site, http://www.birchanger.com, was automatically redirected to the secure site at https://www.birchanger.com. There was a typo and it didn't work. There is no typo now and it does work.