IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Still going on.
We're seeing problems with servers at clients and several major providers including Amazon, multiple issues including DigiCert and GlobalSign. Weird intermittent stuff like only one or a few servers in a pool are misconfigured, such as lambda or S3 requests failing 1 out of 50 times (or 50 times in a row over a very brief period only).

Spent most of the day tracking down issues.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New we use a gummint cert internal to ourselves
we have a rash of issues where the root cert is not recognized. Assuming the trust check is broken in browsers/apps. Or hacked
"Science is the belief in the ignorance of the experts" – Richard Feynman
New We didn't have browser issues
But servers were having issues verifying other servers' certs.

Some of it was misconfiguration that was thrust into the light by whatever else is going on.

I'm still not sure how to fix things other than to put retries into our code where possible.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New Sectigo's SHA-1 root + intermediate certs expired.
The fix will be messy as the root cert lists for the OS and each application/service that brings its own will need updating.
New I don't think that's all that happened.
The server certs we're having issues with are GlobalSign and DigiCert, not Sectigo, and the problems are intermittent.

The client OS in question has updated certs and is on OpenSSL 1.1.1.

I manually removed the AddTrust certs but that didn't help either.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
     I'm back; this time re "Sectigo" - (Ashton) - (21)
         Sounds like an update is needed. - (static)
         Also, thanks. - (static)
         Wade is likely right + couple of things to check - (scoenye) - (3)
             Going there: - (Ashton) - (2)
                 Don't nuke the CUPS certificate - (scoenye) - (1)
                     Gracias.. - (Ashton)
         Here's a page that might help, if you can get there. - (Another Scott) - (1)
             Hm: gives important also-too CLUE! (Can't Go-->There, either) - (Ashton)
         Something happened with SSL certs yesterday - (malraux) - (11)
             Thanks.. helps out, 'the Loneliness of the Long-distance tyro-Debugger .. a bit :-) -NT - (Ashton) - (10)
                 major cert trust domain issue yesterday - (boxley) - (9)
                     CRL lookup service blowout? The only thing I can think of that would cause widespread mayhem. -NT - (scoenye) - (3)
                         Heh.. that moniker sent moi --> Belgium and a ∆ re (my) access to Sectigo. - (Ashton) - (2)
                             That is what is going on - (scoenye) - (1)
                                 Excellent--Lots of peripheral info there too; Bonus. -NT - (Ashton)
                     Still going on. - (malraux) - (4)
                         we use a gummint cert internal to ourselves - (boxley) - (3)
                             We didn't have browser issues - (malraux) - (2)
                                 Sectigo's SHA-1 root + intermediate certs expired. - (scoenye) - (1)
                                     I don't think that's all that happened. - (malraux)
         Teapot; Tempest-in: Thanks all! stuff works. The post-mortem amusement awaits.. -NT - (Ashton)

Keep up the good work. Those dark sides need more advertising.
110 ms