Microsoft forgot to renew the certificate for its Windows Insider subdomain Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program. Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has …
"Didn't they let the main domain registration expire once and somebody renewed it for them?"
Yes:
I work for a relatively small company but we have a ridiculous number of domains (more than a 1000) and websites and certificates to manage, oddly this falls to a team that is nothing to do with web development or website management at all, got love how organic growth of IT departments mean things end up in weird places. Just getting all our certs and domains in one place was massive piece of work, and then when the great HTTPS everything hit , well cert management is 50% of someones job.
It works pretty well but you can only provide the certs, someone has to schedule in the replacement and actually do it, yes there are automated processes but these don't always work and if someone doesn't notice then....
I would imagine a business like MS renew certs at the rate of 100s if not 1000s a day so the odd one is not not a bad fail rate, who can put thier hand up and say they have fail rate of 0.1% or better?
In a past life I was a betting shop manager, pass rate for the bet settling exam was 98% (money not bets) and that was hard to live up to.
oddly this falls to a team that is nothing to do with web development or website management at all, got love how organic growth of IT departments mean things end up in weird places
Bingo. I'm sure the guy in charge of the cert got laid off, reorganized, promoted, laterally moved, sacked, dumped, bounced out, canned, axed, eighty-sixed, given the old heave-ho, reshuffled or whatever, and his replacement (if there even is one) had no idea.
I'm sure there's a manager running around with his tail feathers set on fire by senior management, yelling "who's in charge of this? who has the passwords?"
"I'm sure the guy in charge of the cert got laid off, reorganized, promoted, laterally moved, sacked, dumped, bounced out, canned, axed, eighty-sixed, given the old heave-ho, reshuffled or whatever"
...without an order, signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters.
Indeed. I have only 300 or so domains to manage. Acme/certbot are jolly good at automatically renewing domains 30 days before expiry. But something can still go wrong - like one of the additional names on the certificate gets moved or dumped so the whole certificate renewal fails leaving 30 days on the old certificate.
I have a simple bash script which reads the file of domains and checks the certificate and flashes up any that have dropped below the 30 day limit.
No time needed for auto-renewal. 60 seconds a week to monitor. 21 days to sort any issue (the bash script is run weekly). No significant resource needed.
Yep, Letsencrypt is not good for everything. But it's good for most and if you have got 1000 domains most will not need the perceived benefits of higher certified domains. Not that the bash script cares who issued the certificate. And if you use Cloudflare with their certificates you need to know they will not fail you.
A few more times Microsoft forgot to renew...
1999:
Microsoft Hotmail/Passport Service Interrupted:UPDATED
2003:
Microsoft forgets to renew hotmail.co.uk domain
2020:
Microsoft’s failures to renew: Teams, Hotmail, and Hotmail.co.uk
2021:
Some Windows 11 features are breaking because Microsoft forgot to renew a certificate
MS maintains their own global root CA. It's not a hard thing to automate securely either. Just someones backlog story and tech debt comming back to haunt them. I often think the world should just go the let's encrypt route so they are forced to implement automation.
Many will have been on the other side of this an developers can be really lazy when it comes to certificates, security or documentation that is external to their project.
Just saying use Let's Encrypt does not solve the problem but just puts a sticking plaster over things. Yes it is great and can save quite a bit of overhead but this then takes us full circle and you are now reliant on a third party.
In this case Microsoft has the tools to deal with it themselves and the reality is that this is simply human error in something being missed or not setup. Sure, it should not have happened and certificates are a pain in the neck to manage with you have thousands but do we really want to end up where the majority of certificates that are manged on the web are using the same tool?
Just because Let's Encrypt is free and run for the Public's benefit now does not mean that it will stay that way. Eyes will be looking as some eagle-eyed corporation spies a source of generating revenue.
This post has been deleted by its author
I had a support call yesterday from a friend who could not access his webmail because he was getting a message that his computer might be compromised. He sent me a screenshot of the error and it was a cert error for xx.btmail.bt.com. When I followed through with Firefox it stated cert expired at midnight Friday. OK today though. Downdetector did not show any particular problem.
You'd think MS would hire one person whose ENTIRE JOB is to do nothing but keep up with the certificates for their sites. Yeah, that may mean they only actually work 20 days a year, the rest of the time it's garbage-can basketball and YouTube videos. But at least it would keep up the facade that MS knows how this stuff works and knows what they're doing, instead of looking like a bunch of bumbling idiots time after time after time.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
