from Hacker News

GitHub's User Content certificate has expired

by GOATS- on 3/24/23, 8:46 PM with 47 comments

  • by koolba on 3/24/23, 8:51 PM

    The cert for objects.githubusercontent.com has also expired:

        $ openssl s_client -connect objects.githubusercontent.com:443

    CONNECTED(00000005)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
    verify error:num=10:certificate has expired
    notAfter=Mar 21 23:59:59 2023 GMT
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
    notAfter=Mar 21 23:59:59 2023 GMT
    verify return:1
    ---
    Certificate chain
     0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
       i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
     1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
       i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    What are the odds this happens the same day they rotate their SSH keys?

  • by ksml on 3/24/23, 8:53 PM

    They're serving the wrong cert on pkg-containers.githubusercontent.com (it's for *.githubassets.com) and their support site also expired 3/21... https://support.github.com/ What is going on over there?

  • by dz0ny on 3/24/23, 9:14 PM

    Still some weird stuff around (* subject: CN=apistatus.chorus.co.nz).

        curl https://www.githubstatus.com/ -vvvv -I
    \*   Trying 52.215.192.131:443...
    \* Connected to www.githubstatus.com (52.215.192.131) port 443 (#0)
    \* ALPN: offers h2
    \* ALPN: offers http/1.1
    ...
    \* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
    \* ALPN: server accepted h2
    \* Server certificate:
    \*  subject: CN=apistatus.chorus.co.nz
    \*  start date: Mar  6 23:10:30 2023 GMT
    \*  expire date: Jun  4 23:10:29 2023 GMT
    \*  subjectAltName: host "www.githubstatus.com" matched cert's "www.githubstatus.com"
    \*  issuer: C=US; O=Let's Encrypt; CN=R3
    \*  SSL certificate verify ok.
    \* Using HTTP2, server supports multiplexing

  • by ollemasle on 3/24/23, 9:29 PM

    Here is the report for this incident: https://www.githubstatus.com/incidents/x7njwb481j9b

  • by ccheney on 3/24/23, 9:08 PM

    EDIT: this specific issue is resolved

    Failing for us in GitHub Actions

    For SEO purposes:

      npm ERR! code ERR_TLS_CERT_ALTNAME_INVALID
  npm ERR! errno ERR_TLS_CERT_ALTNAME_INVALID
  npm ERR! request to https://pkg- 
 npm.githubusercontent.com/npmregistryv2prod/blobs/\*\* failed, reason: 
  Hostname/IP does not match certificate's altnames: Host: pkg-npm.githubusercontent.com. is not in the cert's altnames: DNS:\*.githubassets.com, DNS:githubassets.com

  • by GOATS- on 3/24/23, 8:46 PM

    This also applies to their avatars subdomain, causing them not to load anymore.

  • by radicalbyte on 3/27/23, 1:11 PM

    I wonder if this has anything to do with the recent SNAFU from a Senior Security Engineer* there?

    https://twitter.com/viibeeng/status/1639374358287118336

    (*yeah we can all make mistakes, but it's 2023, if you've not build controls into your workflows by now you don't deserve to be a Senior anything)

  • by mattbillenstein on 3/24/23, 10:08 PM

    I built a free monitoring service some years ago if anyone doesn't want to be the victim of this...

    https://ismycertexpired.com/check?domain=objects.githubuserc...

  • by bvogelzang on 3/24/23, 9:06 PM

    It looks as though it's back for me now. Status page is now showing the problem: https://www.githubstatus.com/

  • by dz0ny on 3/24/23, 9:07 PM

    Also serving wrong certificates for a lot of content domains.

    https://news.ycombinator.com/item?id=35295191

  • by jmspring on 3/24/23, 9:42 PM

    Sounds like whoever is in charge of certificates at GH must have come over from MSFT. Afterall, I think Microsoft has had 2-3 certificate expiry issues in the last several years.

  • by gorjusborg on 3/24/23, 8:54 PM

    And today of all days I have a moment to upgrade homebrew stuff.

  • by tonto on 3/24/23, 9:02 PM

    got a "RequestError: certificate has expired" doing a release just now...as usual, not a good idea to release on a friday

  • by Kelamir on 3/24/23, 9:06 PM

    Previously I had the same issue, but it works for me now, as well as for a friend in another EU country.

  • by gunshai on 3/24/23, 9:59 PM

    For us dumb dumbs what does this mean?

  • by apetresc on 3/24/23, 9:09 PM

    Seems to be resolved now. My `brew update` works again.

  • by artyom on 3/24/23, 9:44 PM

    ChatGPT, rotate my certs

  • by jjice on 3/24/23, 9:17 PM

    Well I'm kind of just waiting on PRs for the rest of the day today and it's a Friday, so I'll consider this a modern equivalent of https://xkcd.com/303/

  • by GOATS- on 3/24/23, 9:08 PM

    It's back now!

  • by alexanderscott on 3/24/23, 9:47 PM

    didn’t they announce a bunch of layoffs recently?

  • by lytedev on 3/24/23, 9:10 PM

    Back up now, it looks like.

  • by carrina on 3/24/23, 9:00 PM

    Not Before Fri, 18 Mar 2022 00:00:00 GMT

    Not After Tue, 21 Mar 2023 23:59:59 GMT

    3-day certs.