RogerBW's Blog

SSL certificates! How do they work? 02 June 2020

An SSL certificate expired.

Not one of mine. This was on the site of a group run by a certain well-known British security researcher. Yes, him. Between about 8am and ~1.30pm last Sunday, it was presenting an expired cert.

Which is of course an easy mistake to make, but if he can't get it right or get his staff to get it right, what hope is there for the rest of us? (Credit to them for noticing and fixing it on a Sunday, mind.)

The site has been using Let's Encrypt certificates for a while, just as everyone does who doesn't have quite literally more money than sense, so renewal ought to have been an easily automated process.

Weirdly, apparently it was. crt.sh has logged a new Let's Encrypt cert issued on 4 May which is valid until 2 August. That's the one they're serving again at the time of writing.

So why did they start serving the invalid one? When did they start serving it, given that it would have been valid until 08:13:05 (UK civil time) on Sunday morning? Did they perhaps restore an old backup, some time between 4 May and 31 May?

More to the point, this is something you can check automatically. All right, a few years ago it wasn't. But I wrote a plugin for Nagios that'll not only do full cert verification on connect (and speak various flavours of STARTSSL to get you as far as the handshake – SMTP, POP3, NNTP, IMAP4 and XMPP) but warn you about expiry dates too, and released it. It's check_ssl_cert in my Nagios plugins collection, which will also work with Icinga (which is what I'm now using) and anything else that uses that plugin interface. (And if I never have to work with the low-level code of Net::SSLeay again it'll be too soon. I needed detailed access so that I could return useful errors based on what might have gone wrong in the handshake, but SSL is tentacles all the way down.)

So if this were one of my sites, when the old cert started to be served again with less than 30 days of validity I'd have been paged by the monitoring system to let me know that something had gone wrong. Yes, sure, I am perhaps a bit more paranoid than most. But on this particular occasion at least that means that it's not my arse flapping in the breeze.

Tags: computing

  1. Posted by RogerBW at 09:51am on 02 August 2020

    And guess what? This morning it's happening again.

    I have profound respect for the team at Cambridge but they really need a good sysadmin.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 2300ad 3d printing action advent of code aeronautics aikakirja anecdote animation anime army astronomy audio audio tech base commerce battletech bayern beer boardgaming book of the week bookmonth chain of command children chris chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup covid-19 crime crystal cthulhu eternal cycling dead of winter doctor who documentary drama driving drone ecchi economics en garde espionage essen 2015 essen 2016 essen 2017 essen 2018 essen 2019 essen 2022 essen 2023 essen 2024 existential risk falklands war fandom fanfic fantasy feminism film firefly first world war flash point flight simulation food garmin drive gazebo genesys geocaching geodata gin gkp gurps gurps 101 gus harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo 2020 hugo 2021 hugo 2022 hugo 2023 hugo 2024 hugo-nebula reread in brief avoid instrumented life javascript julian simpson julie enfield kickstarter kotlin learn to play leaving earth linux liquor lovecraftiana lua mecha men with beards mpd museum music mystery naval noir non-fiction one for the brow opera parody paul temple perl perl weekly challenge photography podcast politics postscript powers prediction privacy project woolsack pyracantha python quantum rail raku ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs ruby rust scala science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance the weekly challenge thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1