This page permanently redirects to gemini://gmi.bacardi55.io/gemlog/2022/02/07/gemserv-update/.
Posted on 2022-02-07
(PSA: If you see new certificate for houston and tinylogs aggregator, it is normal, I had to update them.)
Last week, Acidus¹ shared on his gemlog that a serious vulnerability was found in a gemini server²:
I stumbled on a serious security vulnerability in a widely used gemini server.
Using gemserv myself, a "widely" used gemini server, I knew there was a high chance I would have to update quickly gemserv in the next few days. Or at least be prepared to it in case I was right.
A few days ago, he confirmed³ it was indeed a bug in gemserv that was now patched, thanks to 80h⁴.
On Friday I decided to patch both servers I run. One of them at home is hosting this capsule (and my feed capsule), the other hosted in "the cloud" for houston⁵ and the tinylogs aggregator⁶.
Weirdly, the 2 servers update weren't the same. While my home server update ran smoothly and my capsule was back on line in few minute, the update of the other one failed…
The error I got was:
General(“The server certificate is not valid for the given name”)
Not sure what is was and unable to fix it right away (because work :)), I let it down at this point (what I thought would be until the end of day when I had more time to look at it). I was thinking it was better to leave it off than having an unsecure server.
But for some reason, I couldn't fix this issue, even by generating new tls certificate.
Then I thought about the differences between my home server certificate and the cloud one.
On my home server, I reused the tls certificate created by gmnisrv (before I migrated to gemserv) instead of creating a new one (to avoid warnings for visitors). Whereas the houston and tinylogs certificate were created manually with openssl command line.
Turn out I must have been doing something wrong because I couldn't generate working certificate (even though they worked before).
As it was already late tonight before I could work on this, I tried to find a tool to generate tls for me instead of reading the full manual. I should read and learn, but I wanted to put back online the two capsules so went for the easiest way.
Turns out that our beloved solderpunk⁷ himself created a very easy to use tool to generate certificates⁸.
I just downloaded the script and ran it to generate 2 new tls certificate. These certificates were finally accepted by gemserv and everything was back online :).
I need to find some time to understand what his script did to enrich my understanding of tls though!
The TLDR; to fix it (you need golang⁹ installed):
# Download gemcert: git clone https://tildegit.org/solderpunk/gemcert.git && cd gemcert # Generate certificate: go run main.go --server --domain tinylogs.gmi.bacardi55.io # Copy the certificate to the right place depending on your gemserv configuration.
Noticed also tonight that Gustaf¹⁰ had the same issue and was thinking about giving up his capsule¹¹, so I hope this helps him (and others) too :)
(I couldn't find any contact page to reach out to Gustaf so I'm hoping he will read this via Antenna or Cosmos :)).
=> 1: Acidus' capsule | 2: First announcement by Acidus | 3: Second annoucement by Acidus | 4: 80h's capsule | 5: Houston capsule | 6: Tinylog aggregator | 7: Solderpunk, creator of the gemini protocol | 8: Solderpunk tls certificate generator (HTTPS) | 9: Golang programming language (HTTPS) | 10: Gustaf's capsule | 11: Gustaf post about the same gemserv issue
=> /gemlog/
=> Send me a gemini mention | send me an email! This content has been proxied by September (ba2dc).Proxy Information
text/gemini; lang=en