from Hacker News

GitHub and BitBucket's SSL Provider's Cert has expired

by hiroprot on 7/26/14, 6:46 PM with 43 comments

  • by flavmartins on 7/26/14, 7:13 PM

    I work with the Certificate Provider DigiCert and confirm that the expired intermediate is a deprecated certificate no longer used in installs. Some sites still have it installed on their server or users might have it installed on their local machine.

    If you are on Chrome, follow @huntaub's suggestion and remove the expired certificate from keychain and restart.

    We've been notifying customers of the expiration and have Technical Support in the office 24 hours to help the sites who need help updating the certificate.

    We're also reaching out to the sites we see having issues online.

  • by flavmartins on 7/27/14, 3:06 AM

    For a full explanation on the legacy intermediate explanation and affected users see DigiCert's post:

    https://blog.digicert.com/expired-intermediate-certificate/

  • by huntaub on 7/26/14, 6:53 PM

    I just got hit with this issue. There doesn't seem to be any information on DigiCert's site or Github's.

    edit: For some reason, deleting the expired DigiCert certificate from Keychain (and restarting Chrome) allowed it to find a valid chain to the Github certificate. I would recommend doing this if you want to get to Github without turning off SSL.

    edit2: (Or they just fixed it and I restarted Chrome.) Can anyone confirm that it works now (without deleting the Intermediate Cert)?

  • by relix on 7/26/14, 8:44 PM

    A side-project I'm working on will alert you when SSL certificates are about to expire, preventing these things from happening. It'll also show you a overview of all the expiration dates of your certificates and domains, updated automatically.

    It's not live yet, but if you're interested you can sign up for the launch mail here:

    http://www.domainsquire.com

  • by ab on 7/26/14, 9:13 PM

    If this is anything like the issues we've seen at Stripe, the problem is probably an obsolete cross-signed root in your login keychain. It's caused by a certificate with CN="DigiCert High Assurance EV Root CA" but signed by some other authority rather than being self-signed. It's not clear to us how these are getting into people's login keychains, as they're not present on a fresh install.

    Typically servers will present their certificate and intermediates but not the root, under the assumption that browsers must already have the root in their CA store. So for DigiCert that would probably be all the certs up to but not including "DigiCert High Assurance EV Root CA".

    You can see the presented cert chain using `openssl s_client -showcerts ...` or the Certification Paths section of the Qualys SSL Labs Test: https://www.ssllabs.com/ssltest/analyze.html?d=github.com

    Do you see an expired "DigiCert High Assurance EV Root CA" certificate in your login keychain? If so, delete it. If not, something weirder may be going on.

  • by STRML on 7/26/14, 7:13 PM

    Looks like digicert itself screwed up - getting an invalid certificate error on digicert.com. Their twitter feed says they are in contact with GitHub, DigitalOcean, Namecheap, Stripe, Pingdom, and so on. This was a big error, and even they made the mistake on their own root domain.

  • by joefiorini on 7/28/14, 3:55 PM

    I'm having this issue as well. I deleted all digicert certificates from my keychain just in case. Still couldn't get to Github. I can get to the DigiCert Root Certificates download page, but it gives me an invalid certificate warning. It looks like the same issue as Github.

    I really, really don't feel comfortable downloading a ROOT CERTIFICATE with an SSL warning on the page. Who knows what could be compromised in this case?

    I'm going to try a couple other things first; I'd like to hear from a security expert, should we find this scary or just a small hiccup?

  • by pknerd on 7/26/14, 8:17 PM

    Download your required certificate from here and it should work like charm

    https://www.digicert.com/digicert-root-certificates.htm

  • by zizee on 7/28/14, 7:07 AM

    Hah! I'm working on a side project to solve this problem: http://www.renewalmonitor.com/

    The idea is that the service will monitor things like domains and ssl expiry dates and then alert you in an increasingly obnoxious manner as the expiration date gets closer.

    My MVP has just needs a few more finishing touches and then I'll send it live. In the meantime, you can signup on the waiting list.

    Cheers.

  • by rsanheim on 7/26/14, 7:41 PM

    A fix to remove the expired cert right now:

    https://twitter.com/aarongraves/status/493116549599739905

    Pretty sure this is on Digicert's side, but we (at GitHub) are investigating to make sure of that.

  • by dzink on 7/26/14, 7:19 PM

    I'm seeing the same issue on both GitHub and Heroku today as well. "Cannot connect to the real www.heroku.com

    Something is currently interfering with your secure connection to www.heroku.com.

    Try to reload this page in a few minutes or after switching to a new network. "

  • by pknerd on 7/26/14, 7:13 PM

    I just upgraded the Cert from DigiCert Website. It's workable for 2038 now. Enough time. Who knows Github exist by that time or not.

  • by D4AHNGM on 7/26/14, 7:36 PM

    Is this only an issue for those using Google Chrome? I haven't had any SSL issues with Github all day using Firefox.

  • by robermiranda on 7/28/14, 3:27 PM

    not sure why, but i had to remove all the certificates and download its from here https://www.digicert.com/digicert-root-certificates.htm

  • by jpdlla on 7/26/14, 7:00 PM

    I'm always surprised at how often this tends to happen to many startups/companies

  • by gianpaj on 7/28/14, 10:06 AM

  • by pknerd on 7/26/14, 8:19 PM

    This certificate expiration also caused not using Github and HomeBrew from CLI.

  • by bonf on 7/26/14, 7:01 PM

    bitbucket as well

  • by abritishguy on 7/26/14, 7:24 PM

    What a fuck up. How did that go unnoticed.