from Hacker News

Ask HN: What is going on with SSL certs?

by julesie on 5/30/20, 12:07 PM with 5 comments

I'm suddenly getting SSL errors from unrelated services we use. For example status.algolia.com, Pingdom and others.

  • by cpach on 5/30/20, 7:06 PM

  • by ivanr on 5/30/20, 1:33 PM

    One of the AddTrust root certificates has just expired. This is the certificate: https://crt.sh/?id=1

    This certificate was originally deployed some 20 years ago and expired today. There will be servers out there configured with certificate chains that terminate with this particular root. I've also seen some expired intermediates as well. In theory, this shouldn't be a problem. Clients with modern PKI stacks should be able to deal with the expiration by using path building to find trust paths that are still valid, but there appears to be a long tail of clients that don't handle this situation well.

    If you've received a notification from a monitoring platform and the leaf certificate is still valid, the notification is likely to be a false positive. I got one of those.

    You should probably be able to neutralise the false positives by reconfiguring your servers with a different chain, one that terminates with a still-valid root. Don't include the expired root in the chain. You should do this for maximum compatibility with old clients also.

  • by chrisked on 5/30/20, 1:31 PM

    Came here to say it is happening by on our end too. Received a lot of expired ssl cert notifications, but cannot reproduce it. Currently trying to understand why this is happening. At first sight seems a glitch.

  • by live_alone on 5/31/20, 10:19 AM

    we are also facing sudden ssl issues