
Ask HN: What is going on with SSL certs? - julesie
I&#x27;m suddenly getting SSL errors from unrelated services we use. For example status.algolia.com, Pingdom and others.
======
cpach
See this thread:
[https://news.ycombinator.com/item?id=23362759](https://news.ycombinator.com/item?id=23362759)

------
ivanr
One of the AddTrust root certificates has just expired. This is the
certificate: [https://crt.sh/?id=1](https://crt.sh/?id=1)

This certificate was originally deployed some 20 years ago and expired today.
There will be servers out there configured with certificate chains that
terminate with this particular root. I've also seen some expired intermediates
as well. In theory, this shouldn't be a problem. Clients with modern PKI
stacks should be able to deal with the expiration by using path building to
find trust paths that are still valid, but there appears to be a long tail of
clients that don't handle this situation well.

If you've received a notification from a monitoring platform and the leaf
certificate is still valid, the notification is likely to be a false positive.
I got one of those.

You should probably be able to neutralise the false positives by reconfiguring
your servers with a different chain, one that terminates with a still-valid
root. Don't include the expired root in the chain. You should do this for
maximum compatibility with old clients also.

------
chrisked
Came here to say it is happening by on our end too. Received a lot of expired
ssl cert notifications, but cannot reproduce it. Currently trying to
understand why this is happening. At first sight seems a glitch.

~~~
dylz
You are either sending and explicitly trusting a full chain up to AddTrust, or
something of the sort. Or you might still have expired AddTrust in your ca-
certificates bundle.

I haven't seen this issue reproducible in any modern browser, but it's been
annoying with explicitly-defined trust stores in some old apps.

------
live_alone
we are also facing sudden ssl issues

