ZA Furries

The site has been giving issues tonight. I was unable to connect to the site.

It fails on the TLS/SSL handshake... It was an intermittent problem.

This is an appeal to the owner to please consider moving this site to local hosting. Not only will it be cheaper, but if there's a problem like this, I can fix it within 20 minutes because I can apply necessary pressure.
I have no problem paying for the hosting either.

The benefits are there, the risk is virtually zero.

It got fixed with no need for you. There wouldn't have been a difference if it were hosted somewhere else.

Yes there would have been a difference. The site wouldn't be down or malfunctioning for a start.
There is an issue in the US at the moment, several big websites are down in case you haven't noticed.

There is no need to construe this as criticism. My other sites have far less downtime, surely there I must be doing something correctly.
The site needs to keep going, its important to what I am trying to achieve at this time.

Yes, in 2003 it was a good idea to host overseas. Its no longer like that. Furthermore, I have concerns about the rights to privacy of every user on this forum. With it being in the US, it means the NSA can ingest (and probably has) everything on this forum. At least in South Africa, its a tad bit harder.

The site is not hosted in the US.

It's hosted in some or another European country, because we also have to follow that country's laws.

I decided to check, its hosted in some Czech backwater.
I would like to know what makes that place so special... is it an issue around cost, or is someone taking the FPB seriously.

Still wrong, but you're getting closer. In any case, so far every assumption made has been incorrect, so there is nothing constructive being contributed here. I'm locking this thread.

The site is hosted in Switzerland, actually, on hostpoint.ch. And due to various reasons it is cheaper to host there than it is to host here, at least in the short term. In the medium term I am in discussion with some parties about our hosting future, but that will be something that I will still see if it bears fruit.

Right ... I figured out the issue with the site's certificate, and it's a hosting/SSL provider issue.

In short, the host enabled OCSP stapling on their HTTPS side. OCSP is a way to check for SSL certificate revocations, but it also means that there's a higher load on the revocation servers. OCSP stapling allows the web server to make a certificate validity assertion without the client having to connect to the revocation server. The server gets the proof from the revocation server, and if it can't provide it, the client will connect to the revocation server itself.

However, what happens if the revocation server is offline/too busy? The normal behavior for clients is to "fail open" - i.e. assume the certificate is valid. Firefox has now implemented OCSP stapling, and made the default behavior "fail closed" - i.e. if a stapled OCSP certificate can't be obtained AND the OCSP server is down, then assume the certificate is invalid and stop connecting.

Chrome and IE/Edge does not yet have OCSP stapling support, and doesn't have this behavior. This means only Firefox users are affected.

So, in short, the SSL provider chosen by the host (GeoTrust) has an OCSP server issue, and when their servers go down the connection fails. I will take it up with the host right now.

I have disabled the HTTPS rewrite in the short term, so if the SSL connection fails, you can use HTTP now.

This is fascinatingly strange. I thought the certificate has a Must-Staple attribute added in, but I can't find it. Now Firefox's behaviour makes no sense at all. The only thing I can say for sure right now is that I am not sure why Firefox is behaving this way. In any event, I have unlocked this thread.

Wow, now I understand how people feel when I talk about my work.

Why is it that the site is so often unable to connect for me these days?

I've only seen it being down twice, once on Saturday and once tonight. In both cases it was a Firefox-only issue.

I'm using Chrome, and there have been several occasions were I have been unable to connect for a few minutes.

Right ... I have now activated and tested CloudFlare as a front-end to the forum. This will now use a different SSL Provider and hopefully the SSL issues is now something of the past. Let's see how things work out, using this as a temporary measure.

The SSL certificate is now issued by Comodo and not GeoTrust.