F-droid website certificate expired.

Lion

Just a little alert the F-droid website and their repositories are experiencing a problem with certificate rotation, according to their bug tracker
Their Services monitor here

xxx

Lion ust a little alert the F-droid website and their repositories are experiencing a problem with certificate rotation,

Seems to work now. I wounder why things like that always happen.

n3t_admin

lmao, they actually let their cert expire. This is unreal.

NetRunner88

"YeAh BuT GrAfinEOs dEVs aReNt nice WiTh our OuTdatEd everyThing aNd OuR baD PraktiCe"

Yeah that's plain amateurism..

n3t_admin

NetRunner88 amateurism..

this not being fixed hours later is the true amateurism.

They say they already have the new certs, so why not enable them?
Besides, they just locked everyone out due to HSTS.
This is hilarious. Every time they do something, you can grab some popcorn.

GrapheneOS

Certificate rotation is a very basic test for whether there's active system administration. F-Droid is known to be using a bunch of ancient software and hardware for their builds and signing which is causing lots of issues for building modern apps. They do not maintain and modernize their infrastructure properly.

GrapheneOS uses uptime monitoring for our services including TLS checks which verify the certificate expiry is above 3 days. We used to have it check for 30 days but we adjusted it based on planning to move to 6 day expiry Let's Encrypt certificates once they're publicly available. They're currently behind an allowlist and we aren't sure if anyone has even be added to the allowlist yet. We also have monitoring for domain expiry via RDAP checks. We've had cases where our certificate rotation stopped working but our uptime checks told us about it and there was never any downtime because of it at any point. We also used to have to make sure our OCSP stapling setup was working correctly but that has been phased out by Let's Encrypt and will be replaced by us moving to 6 day certificates.

GrapheneOS

n3t_admin

this not being fixed hours later is the true amateurism.

The issue should be detected by uptime checks warning the system administrators prior to it causing downtime. The issue leading to rotation breaking should cause alerts, not downtime. This is one of the most basic things to check for uptime monitoring along with checking for domain expiry via RDAP (previously WHOIS which is deprecated and being rapidly phased out).

They say they already have the new certs, so why not enable them?

Their rotation scripting must be broken. It's likely they made changes to it but didn't test it properly. That has happened to us before such as certbot making changes incompatible with our systemd unit hardening changes but it hasn't caused any downtime because we have monitoring for our services which warns us if the certificates they're using are going to expire soon. We get alerts which are publicly visible in our infrastructure channel, not downtime. We do the same for domain expiry in case something breaks auto-renewal.