Automated certificate issuing is a problem by itself. "The authority that issued my cert isn't the authority that I thought it was but it looks the same and works, so carry on" kind of thing.
How is it that literally nobody – whether deploying a hobby project or working at Microsoft or Google – has ever been able to figure out cert rotation? There's a billion dollar company waiting to be built if someone can just ensure that all my TLS certs across all servers will stay up to date for all eternity.
> How is it that literally nobody – whether deploying a hobby project or working at Microsoft or Google – has ever been able to figure out cert rotation? There's a billion dollar company waiting to be built if someone can just ensure that all my TLS certs across all servers will stay up to date for all eternity.
After doing SRE work for big companies, I have observed that many individuals, particularly young developers at well-known companies, are hesitant to ask for help for fear of appearing incompetent. Consequently, their mistakes may go unnoticed for extended periods of time, as is the case today.
Unfortunately, even senior developers may make errors due to their egos. There is no comprehensive company-wide policy that can prevent individuals from being foolish or overconfident. When working for major corporations such as Microsoft or Google, one cannot expect to micromanage everyone constantly. One must trust that individuals will perform their duties to the best of their abilities.
Let us accept that humans are not infallible, and that unintentional mistakes, such as this one, can and will occur. The key is to address these issues promptly and efficiently.
They're serving the wrong cert on pkg-containers.githubusercontent.com (it's for *.githubassets.com) and their support site also expired 3/21... https://support.github.com/ What is going on over there?
I reported a expired certificate to DigitalOcean last week, it was for their package repository which meant apt-get would give warnings. These things happen. Was fixed in a hour.
Not related but another GitHub issue today: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-k... , https://news.ycombinator.com/item?id=35285390
I built a free monitoring service some years ago if anyone doesn't want to be the victim of this...
https://ismycertexpired.com/check?domain=objects.githubuserc...
Guess this will never stop happening
Whomst among us hasn't made the old "accidentally let the SSL cert expire" mistake?
Caddy and the auto-issuing certs is the next step, but that is prone to failure, too, of a different kind.
Automated certificate issuing is a problem by itself. "The authority that issued my cert isn't the authority that I thought it was but it looks the same and works, so carry on" kind of thing.
…and with more frequency in the future. 90 day certs are going to make it happen all the more often.
I hope whoever thought of that gets a lot of angry emails every 90 days.
Make certs expire in 14 days and I bet this would never happen
Disagree. Making certs expire more frequently will actually make the problem less likely to happen.
Looks like they tried to rotate the cert, maybe due to the private key leak. But instead, they rolled the wrong expired key to all content domains.
I'm more thinking the new host key prevented SSL cert rotation from happening properly
Maybe, but only if they're refreshing certificates less than a day before expiry. Which isn't ideal.
They just posted this update on GitHub Status - related to GitHub Pages:
See https://www.githubstatus.com/incidents/x7njwb481j9b
And now (Mar 24, 2023 - 21:10 UTC):
This is indeed resolved.
Glad I'm not the only one.
Getting the same when trying to wget a release - says failed to verify certificate for objects.githubusercontent.com
How is it that literally nobody – whether deploying a hobby project or working at Microsoft or Google – has ever been able to figure out cert rotation? There's a billion dollar company waiting to be built if someone can just ensure that all my TLS certs across all servers will stay up to date for all eternity.
> How is it that literally nobody – whether deploying a hobby project or working at Microsoft or Google – has ever been able to figure out cert rotation? There's a billion dollar company waiting to be built if someone can just ensure that all my TLS certs across all servers will stay up to date for all eternity.
After doing SRE work for big companies, I have observed that many individuals, particularly young developers at well-known companies, are hesitant to ask for help for fear of appearing incompetent. Consequently, their mistakes may go unnoticed for extended periods of time, as is the case today.
Unfortunately, even senior developers may make errors due to their egos. There is no comprehensive company-wide policy that can prevent individuals from being foolish or overconfident. When working for major corporations such as Microsoft or Google, one cannot expect to micromanage everyone constantly. One must trust that individuals will perform their duties to the best of their abilities.
Let us accept that humans are not infallible, and that unintentional mistakes, such as this one, can and will occur. The key is to address these issues promptly and efficiently.
They're serving the wrong cert on pkg-containers.githubusercontent.com (it's for *.githubassets.com) and their support site also expired 3/21... https://support.github.com/ What is going on over there?
Layoffs?
I reported a expired certificate to DigitalOcean last week, it was for their package repository which meant apt-get would give warnings. These things happen. Was fixed in a hour.
same for raw.githubusercontent.com which is images, raw text files etc. certificte validity end date: Tue, 21 Mar 2023 23:59:59 GMT
They're not having a great Friday.
It does make me feel slightly less worse about the environment I have to maintain
Heh, just noticed this myself.
FIXED!
It's better now.
maybe the certificate crew is laid off?
expired two days ago (3/22/2023) and no one cares
i think they added the wrong cert. it was working earlier today.