Xero, Slack suffer outages just as Let's Encrypt root cert expiry downs other websites, services Websites and apps are suffering or have suffered outages around the world for at least some netizens today due to connectivity issues. Though the exact causes of the IT breakdowns are in many cases not fully known right now, there has been a sudden uptick in downtime right as Let's Encrypt, which provides free HTTPS …
Its not necessarily that sysadmins didn't fix things.
As I saw in my iOS devices and my 3rd party email clients, the system level software decided to latch onto the old no-longer-in-use cert and associated it with many connections internally. When the old not-in-use intermediary cert expired, my devices decided that they should still use it and complain and refuse to connect.
Even though my Let's Encrypt certs were all good with the new roots for quite some time.
We have had root CA certs expire in the past with some fallout, but without them being as widespread as Let's Encrypt has been, they have not raised that much noise. We will have additional root CAs expire in the future, with the potential for more issues with system code.
Meanwhile.... Amazon Kindle Wikipedia look-up is STILL borked.
https://www.amazonforum.com/s/question/0D56Q000084k4bj/why-do-i-get-invalid-certificate-error-when-accessing-wikipedia
Why do I get "Invalid Certificate" error when accessing Wikipedia?
"I noticed on October 2nd that my {Kindle} gets an "Invalid Certificate" error whenever I try to access Wikipedia."
Going on TEN WEEKS now. Confirmed on 7g and 10g devices. Restarting no help. No newer software.
Amazon seems to be repeatedly unaware of the issue.
Granted not everybody uses this feature. But the books I read, I need a lot of look-up. And we know Kindle logs EVERY finger-stroke to headquarters. (Yes, every stroke/swipe/tap.) You'd think the sudden spike in errors would stir some interest?
Yeah, because your ISP didn't flush their DNS cache or install NTAs for slack.com after they borked themselves with bad DNSSec setup.
DNS at the top domain level is cached for a day or two with a TTL of 2d.
Google DNS (and other large providers) probably slapped some NTAs on slack.com to cut down on the complaint levels they were probably getting for slack.com's mismanagement of their DNS.
Some years back, I had to give an entire LAN/WAN shop a quick course on SSL, especially as regards to the resource human friendly hostname.
At the time I was in information security, having moved up from that same shop. Implementing it isn't rocket science!
SSL loses trust, check cert, root cert, awshit - got the new one, trust it, flush the proxy server cache, go to lunch early.
This post has been deleted by its author
These are sound ideas, but here the problem is that LetsEncrypt was relying on another organisation's existing intermediate cert (created a long time ago, when people perhaps didn't think of that) and it happens to expire when it happens to expire, so there's not really a lot they can do about that.
I've never understood why certificates need expiry dates.
Given they can be revoked, why do you need to guess when issued how long it will need to exist for?
If the argument for expiring them is that hash and signing algorithms improve, them simply revoke the cert when it is considered sufficiently weakend by advances in cryotography.
So many outages have been caused by certificates expiring.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
