All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)

1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.21s | source

Show context

needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]▶

>>19823701 (OP) #

I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #

revvx ◴[04 May 19 02:36 UTC] No.19823994[source]▶

>>19823806 #

> Still, this type of oversight seems all too common even in large companies. (...) Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

LetsEncrypt renewal is supposed to be automated. [1]

I know of a company that hosted blogs for thousands of customers. They used LetsEncrypt, but the CTO considered automatic renewals a possible security risk, so they did it manually. Problem is, the expiration happened in a weekend and they "forgot" to update the certificates before that. Suffice to say that the next Monday wasn't pleasant. They automated after that.

[1] https://letsencrypt.org/about/

replies(9): >>19824056 #>>19824264 #>>19824303 #>>19824403 #>>19824729 #>>19824926 #>>19825434 #>>19825826 #>>19826191 #

1. bluejay2387 ◴[04 May 19 11:33 UTC] No.19825826[source]▶

>>19823994 #

We update automatically AND manually check periodically to make sure the update took place. That company must be overly fond of drama...

↑