SSL Issues December 25, 2016 4:59 PM   Subscribe

Just a heads up, you may see an "SSL certificate has expired" warning. We're aware of it and working to fix it. Sorry about the hassle.
posted by restless_nomad to Bugs at 4:59 PM (63 comments total) 8 users marked this as a favorite

Thanks for the quick work then. Curious, do you just not have it set to renew?
posted by durandal at 5:12 PM on December 25, 2016


Jesus, 2016 is killing everything.
posted by Brandon Blatcher at 5:14 PM on December 25, 2016 [13 favorites]


Yeah, it looks like we had a hiccup either on our end or the other; we were getting this renewed last week, so I'm not sure what fell down.

Unfortunately, it's the middle of the night where frimble is so it may be a few hours before we can get it resolved. But the good news is it's just some sort of dumb ol' failure, not hijinks of any sort.

Sorry about this, y'all.
posted by cortex (staff) at 5:17 PM on December 25, 2016 [4 favorites]


Somebody ain't gonna be part of Secret Quonsar next year.
posted by Etrigan at 5:36 PM on December 25, 2016


Have you tried turning it off and turning it back on again?
posted by uosuaq at 5:38 PM on December 25, 2016 [22 favorites]


I miss the old JRun errors.
posted by urbanwhaleshark at 5:40 PM on December 25, 2016 [9 favorites]


Oh. That makes sense.
posted by Night_owl at 5:41 PM on December 25, 2016


...and it was always said of him, that he knew how to keep Christmas well, if any man alive possessed the knowledge. May that be truly said of us, and all of us! And so, as Tiny Tim observed, God bless Us, Every One!
posted by anotherpanacea at 5:49 PM on December 25, 2016 [1 favorite]


Sorry for the contact form urgent thing. Doing SSL certificates as part of my job, it's a big fucking deal that I get lit up about, went into work mode.

Much love for getting it sorted!
posted by deezil at 5:50 PM on December 25, 2016 [3 favorites]


Is it safe?
posted by Room 641-A at 6:22 PM on December 25, 2016


It's all good, I cleared my cache and cleaned up some browser things that probably should have been cleaned up anyways. But I am glad it's not just my computer. I was freaking out for a few minutes. Cheers.
posted by Fizz at 6:38 PM on December 25, 2016 [1 favorite]


How on earth did we end up with an SSL certificate that expires on Christmas in the first place?
posted by schmod at 7:11 PM on December 25, 2016 [6 favorites]


Obviously the answer is because it expired this time last Christmas.
posted by pwnguin at 7:20 PM on December 25, 2016 [13 favorites]


Are you calling me from a secure line?!
posted by I-baLL at 7:24 PM on December 25, 2016 [2 favorites]


Why do they expire, anyway? Do the bits just rot?
posted by thelonius at 7:24 PM on December 25, 2016 [1 favorite]


They're probably good for a while after the date, it's just they want to be careful. I leave them sitting out on the counter all the time and they're fine, but that's me.
posted by bongo_x at 7:38 PM on December 25, 2016 [44 favorites]


thelonius, SSL certificates have an expiration date built in -- it probably wouldn't be good for security purposes if you could get one that lasted forever. I think they usually last one to three years, but don't quote me on that. Obviously there was just a little glitch with the renewal process this year.
posted by uosuaq at 7:47 PM on December 25, 2016 [1 favorite]


Incidentally, for anyone who hasn't, during this century so far, tried manually setting their computer's clock to an incorrect date that's off by a few years in either direction, it's interesting how almost every bit of software that interacts with the internet breaks because of instantaneously-invalid SSL certificates or similar things.

It was such an innocent era of human history, when the computer's clock only mattered to the smarter pieces of trialware that refused to be fooled into continuing to function.
posted by XMLicious at 8:06 PM on December 25, 2016 [7 favorites]


Certs do expire, and I figure it's half racket, half kinda good security because cert revocation is not well regarded in the security industry.
posted by pwnguin at 8:07 PM on December 25, 2016 [3 favorites]


"Nice certificate you got there. Be a shame if anything—DOH!"
posted by Johnny Wallflower at 8:23 PM on December 25, 2016 [1 favorite]


Well, first you renew it, then you gotta install it. I always forget that last part
posted by disclaimer at 8:24 PM on December 25, 2016 [4 favorites]


Also I like that it has to be renewed somewhat manually, because that means a human has to interact with parts of the server not usually interacted with, which is always a good thing to do housekeeping-wise.
posted by disclaimer at 8:26 PM on December 25, 2016 [2 favorites]


Why do they expire, anyway? Do the bits just rot?

The authentication oil wears out over time and picks up contaminants from the environment. Usually you send it back to the CA factory to get it serviced.
posted by indubitable at 8:29 PM on December 25, 2016 [11 favorites]


it's just some sort of dumb ol' failure, not hijinks of any sort.

Of course that's what you would say if you were some kind of nefarious black hat attacker, hijinking the domain, for ... uh, some kind of benefit to yourself I guess?
posted by aubilenon at 8:46 PM on December 25, 2016 [2 favorites]


Most crunchy granola type websites like metafilter, buy "locally sourced non-GMO" certificates made from 100% recycled bits. That's great and all, but first of all, almost no certificates are actually sourced locally. Secondly, non-GMO bits are as silly as gluten-free water. Last and most important is the recycled bits just aren't as durable as the newly-made bits you'll find in certificates for successful companies like Exxon-Mobil, Monsanto, Halliburton or Turing Pharmaceuticals.
posted by double block and bleed at 9:01 PM on December 25, 2016 [6 favorites]


More seriously, it was meant to ensure that certificate revocation lists are bounded in size. Certs that have expired are no longer published on revocation lists, so it's not possible to know whether it has been revoked (whether it's possible to know under normal circumstances, on the other hand, is open to debate...)
posted by indubitable at 9:10 PM on December 25, 2016 [2 favorites]


Just a heads up, you may see an "SSL certificate has expired" warning.

.

2016 strikes again.
posted by Joe in Australia at 9:47 PM on December 25, 2016 [3 favorites]


Seems to be fixed?
posted by Night_owl at 10:16 PM on December 25, 2016 [1 favorite]


The authentication oil wears out over time and picks up contaminants from the environment. Usually you send it back to the CA factory to get it serviced.

Fuck that, just get a rebuilt one. Don't forget to return the core.
posted by bongo_x at 10:40 PM on December 25, 2016


Seeing the new certificate now.

My condolences on the timing, this is usually way more of a headache than it should be even under ideal circumstances. Doing it live on a holiday is like a thousand times worse.
posted by fifteen schnitzengruben is my limit at 11:59 PM on December 25, 2016 [1 favorite]


The new certificate is in, yeah, and I'm just checking through things to make sure everything is fine before finally breathing out.
posted by frimble (staff) at 12:09 AM on December 26, 2016 [5 favorites]


Huh, apparently Chrome doesn't trust the new cert (literally it says "this certificate is not trusted" as the error) but I'm guessing that's a problem on my end now?
posted by Dysk at 1:04 AM on December 26, 2016


Well, I don't trust Chrome, so in a roundabout and crooked way, that makes sense. Maybe.
posted by Too-Ticky at 1:18 AM on December 26, 2016 [7 favorites]


Dysk, frimble will be having a look, but just a couple of questions: do you have secure browsing turned on as an option in your mefi preferences? (not necessarily the issue here, just collecting some data), and are you on mobile?
posted by taz (staff) at 1:40 AM on December 26, 2016


Mobile, chrome on Android (latest version of chrome), secure browsing is on, and while I can't get anything but the "server's certificate is not trusted" error by looking at the details where chrome complains, I swear it said that it was the issuing authority that was not trusted when the cert issue first popped up on each subdomain.
posted by Dysk at 1:57 AM on December 26, 2016


In fact, it gave me the interstitial error page on trying to post that comment, with the error "NET::ERROR_CERT_AUTHORITY_NOT_TRUSTED" or something like that - it wouldn't let me copy paste from the error page :/
posted by Dysk at 1:59 AM on December 26, 2016


Ah, thanks for the info!
posted by taz (staff) at 2:04 AM on December 26, 2016


...and it's stopped being an issue now. Either chrome spontaneously got over its trust issues, or frimble did something clever that I probably wouldn't understand. Either way, woo!
posted by Dysk at 2:13 AM on December 26, 2016 [1 favorite]


Woo!
posted by taz (staff) at 2:32 AM on December 26, 2016


New cert is there, but an intermediate is missing which means some browser/OS combinations won't see it as valid. You can see the details for what to fix here
posted by gregjones at 5:23 AM on December 26, 2016 [1 favorite]


Desktop (Chrome/Mac) is now fine, but I'm seeing "Invalid certificate authority" errors on Android.
posted by schmod at 8:24 AM on December 26, 2016


Have you guys considered Let's Encrypt? I've had good results thus far and the renewal can be automated with certbot. It's also free.
posted by axiom at 9:27 AM on December 26, 2016 [1 favorite]


It's something we could consider next time around, but for now the cert's taken care of until late 2019; just a matter of making sure the installation's ironed out.
posted by cortex (staff) at 10:14 AM on December 26, 2016


Looks like the wrong intermediate certificate is bring served.

COMODO RSA Organization Validation Secure Server CA

Instead of

COMODO RSA Domain Validation Secure Server CA
posted by pixie at 10:56 AM on December 26, 2016 [2 favorites]


I've now finally had a chance to get in front of a real computer again, in order to iron out the chain issues. Again, I'm so sorry that getting the new certificate in was such a bumpy ride, and hope that from here, it's smooth sailing through the sea of mixed metaphors.
posted by frimble (staff) at 12:17 PM on December 26, 2016 [15 favorites]


I've already added a note to the company calendar for Christmastime 2019, assuming we all survive the first three years of Trump.
posted by cortex (staff) at 12:37 PM on December 26, 2016 [13 favorites]


That looks happier and the new one doesn't have such a horrible expiry date.
posted by pixie at 1:12 PM on December 26, 2016 [1 favorite]


No worries, frimble. Thanks for sorting it during the holiday.
posted by Johnny Wallflower at 1:50 PM on December 26, 2016 [1 favorite]


Can someone help me renew my driver's license?
posted by Joseph Gurl at 2:23 PM on December 26, 2016 [4 favorites]


can someone do a william carlos williams thing for the certificate problem tx
i wouldn't want to take the spontaneity out of it, but can someone do a william carlos williams thing
nor put a great deal of pressure on anyone to live up to the challenge of the wcw meme, but will someone anyway
it is a time of gift giving
it could even be a staff member, because they are literally beyond reproach
I don't mean that passive aggressively
could someone do a wcw thing?
i acknowledge fully that i don't even have the standing in the community to request it, so it's awkward, but could someone do the wcw thing
i traditionally give in to shyness, so won't try a wcw thing myself, just posting this message will be embarrassing enough
leaving you, deer reader (what do you call a field & stream subscriber), with the pleasant diversion of doing a wcw thing
that we all will love
give us a poem that we all will love


I encountered this error message in Firefox on Chrismas night too.
posted by sylvanshine at 4:41 PM on December 26, 2016 [3 favorites]


Thank frimble
They have secured the sockets
That were in our layer.
They now have integrity.
So symmetric
And so encrypted.
posted by sockermom at 4:49 PM on December 26, 2016 [16 favorites]


Can someone help me renew my driver's license?

If you'd beaten MeFi to hiring frimble, it'd already be done.
posted by Dysk at 6:11 PM on December 26, 2016 [1 favorite]


Sooo... My brain is seasonally mulled, is there a fairly (autocorrect: faulty) trivial mechanism whereby someone non-mod can verify that the expired cert expired in the normal way/at the correct, expected time, instead of e.g. legally-unreportable shenanigans? (To emphasise my commitment(s) to strong information security practices and mulled alcomohols I am willing to accept any vaguely plausible answer from a half-recognised username).

Cheers *hic*!
posted by comealongpole at 6:49 PM on December 26, 2016


I was initially getting errors because of an expired cert with a listed expiry date of 26/12/2016. Said cert was issued on [can't recall]/11/2015, so that certainly seems legit - most certs run 1-3 years. Coupled with the mods telling us that it was expected to expire around now, it seems like you'd have to have a pretty compelling reason to think that any shenanigans were up (other than maybe with whatever automated renewal or installation of renewed cert is in place).

All dates in UK dd/mm/yyyy format.
posted by Dysk at 7:07 PM on December 26, 2016 [1 favorite]


That'll do! *Barney from Simpsons burp*
posted by comealongpole at 7:30 PM on December 26, 2016


Call the roller of big server farms,
The nerdy one, and bid him whip
In SHA-3 cups concupiscent certs.
Let the instances dawdle in such chains
As they are used to fly, and let the sockets
Bring packets in last month's newspapers.
Let be be finale of seem.
The only emperor is the emperor of certificationing.
posted by jenkinsEar at 8:11 PM on December 26, 2016 [6 favorites]


This is just to say

I have replaced
the certificate
that validated
the website's identity

and which
you were probably
getting
errors from

Forgive me
but it had expired
on Christmas
Goddamnit
posted by Reverend John at 9:45 PM on December 26, 2016 [14 favorites]


so much depends
upon

an SSL
cert

glazed with re-
newal

beside the web
server
posted by cortex (staff) at 10:20 PM on December 26, 2016 [10 favorites]


There once was a website certificate,
That informed all the site was legitimate,
But of course it expired,
when frimble was tired,
oh look, they've already a-fix-ed it.
posted by quinndexter at 10:41 PM on December 26, 2016 [14 favorites]


Once upon a Christmas merry, while I pondered, drunk and airy,
Over many a quaint and curious post of information swell,
While I nodded, nearly napping, suddenly there came a tapping,
As of someone gently rapping, tapping at their phone of cell
"'Tis some display err," I muttered, "so they cannot click so well --
Only this for me to quell."

Open here I flung the e-mail, when, through distant haze of cocktail,
In there stepped a stately Problem from the darkest depths of hell;
Not the least sense made it to me, when I first read reports gloomy,
Of the failure of the certificate which our security does tell --
With aitch tee tee pee ess in address bar it does tell --
And with a lock says all is well.

The e-mails flew fast and thick, the flags showed dramatic uptick,
With a grave and stern request to insecurity repel:
"Thy certificate has expired! The situation is quite dire!
Have you been hackéd by malicious Russian web cartel?
What dark mischief caused our group blog to be haunted by this infidel?"
Quoth the server, "SSL."
posted by Eyebrows McGee (staff) at 11:06 PM on December 26, 2016 [24 favorites]


Christmas snowflakes fall
CERTIFICATE EXPIRED
White browser window.
posted by ardgedee at 9:08 AM on December 27, 2016 [3 favorites]


Whan that Decimbre with his shoures soote
The Certe of Novimbre hath perced to the roote,
And bathed every FPP in swich errure
Of which vertu endangred is the secoure; ...
posted by Greg_Ace at 9:35 AM on December 27, 2016 [4 favorites]


Sooo... My brain is seasonally mulled, is there a fairly (autocorrect: faulty) trivial mechanism whereby someone non-mod can verify that the expired cert expired in the normal way/at the correct, expected time, instead of e.g. legally-unreportable shenanigans?

Nearly all SSL shenanigans are legally unreportable, but if and end user wants to verify that the certificate provided has expired, then this is doable in browser. If you want to learn how, point your browser at expired.badssl.com. In Firefox, I get an insecure connection warning, and clicking advanced offers the message:
"expired.badssl.com uses an invalid security certificate.

The certificate expired on 04/12/2015 04:59 PM. The current time is 12/27/2016 10:26 PM.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE"
And if you choose to trust it anyways, there's a View Certificate button to click to see what the certificate said the expiration date & time was. So anyone can do that part. And it doesn't even have to be expired; if you click on the green lock shown on an https:// url, the > arrow, More Information, View Certificate, it's all right there. Right next to the "Beware of Tiger" sign.

But there's a variety of possible implausible scenarios in which an expired cert is an indication of malfeasance. If someone kept around an archive of all metafilter certs ever, there might have been a few comparatively weak ones that someone could use to break. The standard of practice for SSL evolves over time as computers get more powerful, which is part of why they expire in the first place. A very old cert might be weak enough for someone to brute force a private key for, or uses an algorithm once thought strong enough for cryptographic purposes.

Otherwise, most of the more interesting possibilities wouldn't be detectable via expiration. If MetaFilter'sColdFusion runtime was hacked, it seems likely an attacker could obtain the private key, and if they ran LetsEncrypt on the same server, probably could also automatically issue a new one. But also, they hacked the entire website, so I'm not sure what extra the SSL key would net them in this hypothetical. They'd probably just leave the cert alone, because changing it would call unwanted attention.

tl;dr: if it were really out of date, that'd be concerning. If it's only hours out of date, I lean towards sysadmin error.
posted by pwnguin at 11:03 PM on December 27, 2016 [3 favorites]


« Older Happy Holidays!   |   MFC & You: Video Games, Caring, and Sharing! Newer »

You are not logged in, either login or create an account to post comments