RogerBW's Blog: SSL certificates! How do they work?

An SSL certificate expired.

Not one of mine. This was on the site of a group run by a certain well-known British security researcher. Yes, him. Between about 8am and ~1.30pm last Sunday, it was presenting an expired cert.

Which is of course an easy mistake to make, but if he can't get it right or get his staff to get it right, what hope is there for the rest of us? (Credit to them for noticing and fixing it on a Sunday, mind.)

The site has been using Let's Encrypt certificates for a while, just as everyone does who doesn't have quite literally more money than sense, so renewal ought to have been an easily automated process.

Weirdly, apparently it was. crt.sh has logged a new Let's Encrypt cert issued on 4 May which is valid until 2 August. That's the one they're serving again at the time of writing.

So why did they start serving the invalid one? When did they start serving it, given that it would have been valid until 08:13:05 (UK civil time) on Sunday morning? Did they perhaps restore an old backup, some time between 4 May and 31 May?

More to the point, this is something you can check automatically. All right, a few years ago it wasn't. But I wrote a plugin for Nagios that'll not only do full cert verification on connect (and speak various flavours of STARTSSL to get you as far as the handshake – SMTP, POP3, NNTP, IMAP4 and XMPP) but warn you about expiry dates too, and released it. It's check_ssl_cert in my Nagios plugins collection, which will also work with Icinga (which is what I'm now using) and anything else that uses that plugin interface. (And if I never have to work with the low-level code of Net::SSLeay again it'll be too soon. I needed detailed access so that I could return useful errors based on what might have gone wrong in the handshake, but SSL is tentacles all the way down.)

So if this were one of my sites, when the old cert started to be served again with less than 30 days of validity I'd have been paged by the monitoring system to let me know that something had gone wrong. Yes, sure, I am perhaps a bit more paranoid than most. But on this particular occasion at least that means that it's not my arse flapping in the breeze.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.