
Techcrunch SSL Cert Expired - twistedpair
https://techcrunch.com/
======
mholt
Is this a good opportunity to plug an open source project I've been working on
for 5 years that basically solves this problem?
[https://caddyserver.com](https://caddyserver.com) will keep your certs
renewed for free, automatically, without extra tooling, dependencies, or
moving parts. I really hope more sites will use it because this stuff happens.

If you've heard of Caddy but haven't used Caddy 2 yet, we've made some huge
improvements with it, and it's capable of managing tens of thousands of
certificates at a time. As of next week's beta it can handle certificates with
lifetimes as short as a few minutes. It works as a load balancer, in a cluster
behind load balancers, and with Docker with its new dynamic config API.
There's no technical reasons I know of why sites like TechCrunch can't use it.

~~~
vinaypai
What does it do that certbot doesn't? Personally, I don't see the benefit of
bundling certificate renewals with the HTTPS server.

~~~
mholt
A quick perusal of the Let's Encrypt forums will reveal a few issues. For one,
it's easy to misconfigure. There's a lot of surface area it has to cover in
the web server and there's a lot that can go wrong. It can also be tricky to
install since it is separate from your web server and has a number of complex
depeneldency requirements (like many large Python programs). And because it's
an external dependency, there's no way the server can react to errors in
CertBot, only CertBot can control the server, so you don't get the benefit of
duplexed interactions.

Caddy is written in Go, a memory safe language. I cannot overstate how
significant it is that most servers like ngixn, Apache, and HAProxy are
written in C and cannot offer the same security guarantees.

Caddy will also staple OCSP, in the most robust way compared to other servers.
It has weathered outages that took Apache and NGINX sites down (in Firefox).

We've also seen CertBot consume high amounts of resources at scale, whereas
Caddy can handle thousands of certs no problem. That's why some companies have
talked to me about why they switched.

Caddy can coordinate cert management in a cluster. This happens automatically
when configured with the same storage backend. CertBot doesn't do that. Caddy
works great behind reverse proxies, or as the reverse proxy.

Perhaps most importantly, Caddy is the only server to use HTTPS by default
without needing any explicit configuration. You simplify your deployment
workflows and have less room for things to go wrong.

There's also a values statement here... If you think privacy and security are
important, you choose software that enables privacy by default because it
aligns with your values.

Sure, any number of solutions can get you TLS and a few even get you TLS via
ACME, but Caddy (2) is highly optimized to handle the edge cases and scaling
requirements a lot of sites have these days.

~~~
vinaypai
I don't meant to pooh-pooh your project, but Go's memory safety isn't some
kind of automatic security guarantee... especially when it comes with a giant
downside of having to run as root. Every other production-grade server drops
privileges as soon as possible, for a very good reason.

~~~
mholt
Go does bounds checking and doesn't have dangling pointers, so it's inherently
safe from buffer overflows.

You don't have to run Caddy as root in production, even to bind to low ports.
(None of my sites do.) [https://memorysafety.fail](https://memorysafety.fail)
for more info on memory unsafety.

~~~
vinaypai
Thank you for your condescending reply. I understand Go's memory model quite
well (and have used Go quite a bit). News flash: you can have bugs of other
kinds besides buffer overflows.

~~~
mholt
Er, sorry, I wasn't being condescending. I intended to clarify some relevant
facts, please don't take it personally.

You had said:

> Go's memory safety isn't some kind of automatic security guarantee...

But in some cases, it is. I'm not claiming more than that, nor am I saying
that you can't have "bugs of other kinds" \-- on which point I agree with you.

~~~
vinaypai
> Er, sorry, I wasn't being condescending. I intended to clarify some relevant
> facts, please don't take it personally.

Fair enough, it's easy to misunderstand the intended tone in online comments.

------
jb775
I must say, seeing this makes me feel a little less embarrassed from my own
expired SSL facepalms

------
GuyPostington
Ways to monitor for cert expiry in no particular order:

1) Prometheus + blackbox_exporter [https://www.robustperception.io/get-
alerted-before-your-ssl-...](https://www.robustperception.io/get-alerted-
before-your-ssl-certificates-expire)

2) Sensu/Nagios [https://github.com/sensu-plugins/sensu-plugins-
http/blob/mas...](https://github.com/sensu-plugins/sensu-plugins-
http/blob/master/bin/check-https-cert.rb)

3) Openssl in a crontab:

    
    
        echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} -verify_hostname ${DOMAIN} 2>/dev/null | openssl x590 -noout -startdate -enddate

------
rvz
They seem to have now updated and fixed the expired cert and all links work
again with SSL on.

    
    
      techcrunch.com
      Issued by: DigiCert SHA2 Secure Server CA
      Expires: Wednesday, 2 March 2022 at 12:00:00 GMT

------
panarky
Techcrunch is a hot mess lately.

Most TC links get uBlocked completely now with adtech run amok.

~~~
nimbius
yup. It routinely winds up in my pihole lists as well.

------
jrockway
jrockway's law of monitoring: All companies will eventually gain an alert for
TLS cert expiration.

------
cpach
Perhaps they will now switch over to automatically provisioned certificates :)

~~~
Macha
At least historically, they did. Wonder what went wrong

~~~
currysausage
Verizon maybe?

------
aaronmdjones
I've never seen a publicly-trusted certificate with a 12-hour validity period
before.

~~~
aargh_aargh
I'd expect this to be some kind of self-damaging public statement regarding
the news that Safari will start blocking sites with certs valid for >1 year.

------
orblivion
Hmm, what about a browser warning that a cert is _about_ to expire? You'd
think a major website would have employees looking at it on occasion, they'd
catch it.

~~~
progval
You don't want this kind of warning to end-users.

Just use monitoring with alerts.

~~~
orblivion
What if it's like two days in advance? Probably better than the thing going
down. Your monitoring should have caught it by then.

------
llacb47
Some sysadmin is getting chewed out on the phone right now...

~~~
robbyt
Or they're being praised for "fixing the website"

~~~
GuyPostington
You're funny.

------
nekoashide
Yeah, even with all the reporting in the world at my employer sometimes we
sometimes miss one, or a setting. It's hard to be good at certs.

~~~
weavie
Uptime robot ([https://uptimerobot.com/](https://uptimerobot.com/)) can be set
up to alert you about any upcoming cert expiries. It has saved our necks a few
times.

~~~
jb775
Is the free tier for this something that's valuable or do you realistically
need the pro version?

~~~
amiraliakbari
The free tier doesn't include SSL monitoring, but has many other useful free
features.

------
mirages
[https://crt.sh/?id=2500908236](https://crt.sh/?id=2500908236)

12h long certificate was used

~~~
0x0
That's just the precertificate

------
harrisreynolds
For posterity and as a general public service announcement I posted a
screenshot here:

[https://www.webase.com/blog/pro-tip-makesure-your-ssl-
cert-d...](https://www.webase.com/blog/pro-tip-makesure-your-ssl-cert-does-
not-expire)

This is bad, but at least the domain name didn't expire!

------
ck2
This is why I do not like the "every 90 days" on Let's Encrypt

Even if automated, actually especially if automated, that's four times a year
you can have complete site failure if something goes wrong.

ps. would be nice if firefox could easily override expired certs for advanced
users like self-signed certs

~~~
cpeterso
TechCrunch's new cert expires in two years. Who at TechCrunch will remember to
renew _that_ cert in February 2022? If they had to renew certs every 90 days,
they most likely would not have forgotten. Cert renewal would be automated or
part of regular quarterly planning.

~~~
praveenweb
Now Safari will no longer trust certs valid for more than 13 months. Recent
discussion thread about it
[https://news.ycombinator.com/item?id=22398063](https://news.ycombinator.com/item?id=22398063)

------
cm2187
Also the expiry date of a cert I think is based on local time of the browser,
not utc. So the website might work for the owner of the site while being
unaccessible to someone from a different time zone.

------
aogl
What's happened to TC recently..

------
raxxorrax
yeah, digicert is quite expensive.

------
csunbird
I still can not click on techcrunch links because of their massive cookie wall
that has no straight-forward way to disable all cookies.

~~~
danielbarla
It's a lovely dark pattern lately. I'm also fairly annoyed by another pattern
which involves giving the user a "carry on" vs "configure" decision, which
when opened shows that only essential cookies are enabled. While this is
probably closer to the correct implementation, I'm fairly sure that it's meant
to subtly steer people away from the configure option [1], via "see, there's
nothing to configure, you should have just picked the other option". You can
be sure though, that the other option had everything and the kitchen sink
enabled.

[1] EDIT: In the long-term, that is, not that individual site's interaction.

~~~
zelphirkalt
Even better, when those "essential" cookies are actually not essential at all
and are just tracking cookies. Personally I hope such people get sued until
they manage to adhere to the law in a sensible way, so that it really hurts
their business, which is built on unethical treatment of their visitors/users.
Wishful thinking probably.

