Hacker News new | past | comments | ask | show | jobs | submit login
Githubassets.com Cert Has Expired
78 points by lysp on Nov 2, 2020 | hide | past | favorite | 53 comments
Cert expired 5 mins ago.


This is a script I call "certdays.sh" which you can call from your regular tests like this:

certdays.sh somedomain.com 14

If the certificate for somedomain.com is valid less then 14 days, it will fail:


Is the '25' in 606025 intentional to give a bit more margin or should it just have been 24?

Ha, I guess I made a typo when I wrote the script 6 months ago. At least I cannot remember that I had some clever idea back then, why a day should have 25 hours.

Fixed now. Thanks.

Always have days having 25 hours... for DST.

Don't call it from tests though, call it from a monitoring system!

In case anyone is looking for a good option, I've had great success with InfluxDB's telegraph utility which automatically checks both uptime and certificates for HTTPS endpoints, combined with a grafana dashboard that sends alerts when the deadline approaches.

What shell are you running this under? Unquoted exclamation marks will do things that may be outside your intent for this script. It’ll still fail, just perhaps not in the way you expect.

You mean due to history substitution? If so: I have never seen that kick in in a script. Only in interactive shells.

Hmm, if I copy/paste this, I get a different output:

    ~  ~/certdays.sh google.com 14
    date: illegal time format
    usage: date [-jnRu] [-d dst] [-r seconds] [-t west] [- 
    v[+|-]val[ymwdHMS]] ...
            [-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] 
    google.com: -18568
    -n Lasts longer then 14 days?

You can brew install coreutils and edit it to use gdate instead of date.

Are you running it on macOS or something non-Linux?

Ah, yes I am running it on macOS Mojave

Works for me. In Bash? Maybe copy/paste gone wrong?

I have put it into a Github repo now and put the link into the post. Does that work for you?

We can also use ssl-cert-check cli tool. `ssl-cert-check -s avilpage.com -p 443 -x 30` will return if the certificate will expire in 30 days.

We can use this command in CI pipeline or setup a cron job to monitor it.

Thanks awesome script!

There must be some kind of law "Every company will forget to renew a TLS certificate once"

I know I can't throw stones in this particular greenhouse :)

Indeed, together with "deleted production database" it's a rite of passage, which is fine. Problem becomes when same issues pop up over and over again (looking at you Microsoft, re ssl renewals) and nothing is seemingly done to prevent it in the future.

I remember a couple of years ago I was on the top of some old volcano on an island, and I was dictating shell commands to a colleague so that we can quickly fix our expired certificate. Good old days.

Maybe browsers should put up a warning when a certificate is about to expire; say two weeks away. Nobody should let their certificate get that close to expiring, but if it does, you'd rather it generate a lot of visible warnings before simply ceasing to work at all.

Browsers are very careful in introducing warnings to users that are meant to go to admins. They dislike the indirect "but users will complain to admins" route and I can't blame them - every warning a user will see and not understand leads to warning fatigue.

Crowd sourcing errors by relying on user generated reports is sometimes a good idea, however in this instance it's not. Cert expiry is something that can be automated and monitored because the expiry is deterministic. Crowd sourcing is for the non-deterministic.

I don't agree. A cert that is just about to expire is as valid as one that's new. It only has two states: expired or not. For the user is either expired or not, they needn't be concerned until it actually is expired.

Or how about the responsible engineers/testers/managers/whatevers setup proper testing infrastructure for the multi-million projects run by their huge international corporate? Feels like it's not a lot to ask for the most basic testing like checking when certs expire, setup automation to renew it and have fail-safes/error reporting in case the renewal fails.

Tests can have bugs too.

Indeed, that's true! Not only you have to write the tests, you also have to verify it's working, and have monitoring connected to ensure it's continuously working.

But still, multi-million companies should surely be able to handle that.

Verify that it is working after changes, with a test? What is testing that test?

If you change something, don't you manually check that it's actually doing what you want it to?

If I was an engineer changing a test regarding SSL certs expiry time, after a change, I'd test it with a cert that has expired, about to expire and one far in the future. Manually or automated doesn't really matter, but test your changes after you've done them. Really basic stuff.

My point was, there is no way to guarantee bugfreeness in any way. You can reduce bugs by automating and another test layer, but each new layer can have bugs too. Even if you prove the code to be correct, you only proved your assumptions of the requirements which might be wrong (both your assumptions and the requirements).

Because the comment said something like: There was a bug, so they didn't have a test, why don't they? And I replied: Tests can have bugs too.

It's partially cloudy in NY today.

It is it is!

perhaps a plugin which admins can add to their browsers to act as a reminder for themselves? having core browsers warn the general public about this all the time will lead to chaos.

Just came to Hacker News to post this, GitHub's assets don't load and the site's front end is broken.

Don't see any error. The certificate was renewed after 10 minutes of issue?

Validity Not Before 11/2/2020, 12:00:00 AM (Greenwich Mean Time)

Validity Not After 11/9/2021, 11:59:59 PM (Greenwich Mean Time)

They renewed it just now.

That's why they are serving un-styled pages, I guess. I thought my browser was acting up.

The pages being served are styled, we just can't securely load the stylesheets.

Or javascript.

if you're using nagios, setup something like

  command_name  check_certificate
  command_line  $USER1$/check_http -H $ARG1$ -p $ARG2$ -4 -S -C 21 -t 20 --sni
this won't warn about certificate name mismatches though

That warns only after the fact, not in advance... depending on how the infrastructure (and especially the cert procuring process, for those not using LE for whatever reason) is set up, too late.

Nagios checks have thresholds for WARNING and CRITICAL. With these kind of checks it's usually 'days until expiry', so it certainly can be used to warn in advance.

"command_line $USER1$/check_http -H $ARG1$ -p $ARG2$ -4 -S -C 21 -t 20 --sni"

-C 21 means: Check the certificate. Warn if less than 21 days and critical when expired.

Update: Seems to be fixed now.

Just ran into the same issue... Most/Everything still seems to work though, because only the assets are missing ^^ However it is not pretty.

Not known on https://www.githubstatus.com/ yet.

Ok, it is now, although they call it an issue with pull requests.

Once identified, I would expect their "Incident Report" in some way would mention the root cause of the incident. However, that does not seem to be the case here: https://www.githubstatus.com/incidents/4mzhxxpwgvqg

Maybe someone could get fired for this or does it have more to do with Microsoft's stock/public image?

This is a wonderful example of what can happen when you don't keep track of your cert expiry dates.

Certs are such a pain in the ass.

I thought it was just a local CDN node issue until I see this on Hacker News :-(

Seems like microsoft has a real issue tracking their cert expiry lately

Github not working for me either

github.githubassets.com expired 1 day ago github.com is OK now

That doesn't seem to be the case.

    openssl s_client -connect github.githubassets.com:443
    verify error:num=10:certificate has expired
    notAfter=Nov  2 12:00;00 2020 GMT
That's today about 22min ago from time of writing, not 1 day ago.

Depending on what your browser still has in its cache, github.com will be in various states of degradation.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact