I started seeing several of our servers' external SSL requests fail due to certificate errors.
Something happened with SSL certs yesterday
I started seeing several of our servers' external SSL requests fail due to certificate errors. Regards, -scott Welcome to Rivendell, Mr. Anderson. |
|
Thanks.. helps out, 'the Loneliness of the Long-distance tyro-Debugger .. a bit :-)
|
|
major cert trust domain issue yesterday
seems like no one could recognize the root store as a valid signer regardless of issuer "Science is the belief in the ignorance of the experts" – Richard Feynman |
|
CRL lookup service blowout? The only thing I can think of that would cause widespread mayhem.
|
|
Heh.. that moniker sent moi --> Belgium and a ∆ re (my) access to Sectigo.
Query got link there, http://ocsp.eid.belgium.be, displayed "Welcome to Verizon OGCM OCSP responder", That was all, on blank page; a Test kinda thing? (and if my query were bogus, might have said something else??) BUT! that link got me to: Sectigo! and atop their addy was: Any Sectigo certificate user needing help due to the recent ADDTrust legacy root expiration should contact Sectigo support. THIS was that link: https://sectigo.com/campaign/enterprise-smime-whitepaper?utm_term=%2Bsecurity%20%2Bcertificate&utm_campaign=Sectigo+Enterprise_Secure+Email+Certificates_US+%26+Canada&utm_source=adwords&utm_medium=ppc&hsa_acc=6918550654&hsa_cam=1669010629&hsa_grp=71527348455&hsa_ad=408476097250&hsa_src=g&hsa_tgt=kwd-302057101089&hsa_kw=%2Bsecurity%20%2Bcertificate&hsa_mt=b&hsa_net=adwords&hsa_ver=3&gclid=EAIaIQobChMIueTJ3pTi6QIVgD2tBh3LKgqNEAMYAiAAEgJi6PD_BwE (I left the post-? stuff there, in event it is revelatory. But now: trying just the basic addy: WORKS! por moi; guess the ∑-boffins are In Conference. f.w.i.w. |
|
That is what is going on
https://www.theregister.com/2020/06/02/sectigo_root_cert_expires/ On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection. My browser is fairly up-to-date so it used the new chain. You'll have go the manual install route if Apple doesn't issue a root cert update for the older Safaris. |
|
Excellent--Lots of peripheral info there too; Bonus.
|
|
Still going on.
We're seeing problems with servers at clients and several major providers including Amazon, multiple issues including DigiCert and GlobalSign. Weird intermittent stuff like only one or a few servers in a pool are misconfigured, such as lambda or S3 requests failing 1 out of 50 times (or 50 times in a row over a very brief period only). Spent most of the day tracking down issues. Regards, -scott Welcome to Rivendell, Mr. Anderson. |
|
we use a gummint cert internal to ourselves
we have a rash of issues where the root cert is not recognized. Assuming the trust check is broken in browsers/apps. Or hacked "Science is the belief in the ignorance of the experts" – Richard Feynman |
|
We didn't have browser issues
But servers were having issues verifying other servers' certs. Some of it was misconfiguration that was thrust into the light by whatever else is going on. I'm still not sure how to fix things other than to put retries into our code where possible. Regards, -scott Welcome to Rivendell, Mr. Anderson. |
|
Sectigo's SHA-1 root + intermediate certs expired.
The fix will be messy as the root cert lists for the OS and each application/service that brings its own will need updating. |
|
I don't think that's all that happened.
The server certs we're having issues with are GlobalSign and DigiCert, not Sectigo, and the problems are intermittent. The client OS in question has updated certs and is on OpenSSL 1.1.1. I manually removed the AddTrust certs but that didn't help either. Regards, -scott Welcome to Rivendell, Mr. Anderson. |