Re: The day I lost my job due to monit

[Phil Townes]

This issue was highlighted on a number of IT news pages and blogs in the week or two prior to the issuing CA expiring.  A decent CA should also have made contact with their customers.

We were also bitten by this issue as well, so I now have a shell script which checks all certificates in a chain for impending expiry.  I'm happy to share if that would help anyone.

Phil

On Wed, 9 Dec 2020 at 10:57, Werner Flamme <werner.flamme@ufz.de> wrote:

Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor:
> Idézem/Quoting Werner Flamme <werner.flamme@ufz.de>:
>
>> Am 04.12.2020 um 16:52 schrieb rexkogitans@gmx.at:
>>> I configured monit to monitor the TLS certificate validity of all of our
>>> highly productive websites. To all websites, the unnecessary full
>>> certificate (without root CA) was installed. However, on 30th of May
>>> 2020 one of the chain certificates (COMODO) ran out of its validity
>>> period. Obviously monit only checks for the server certificate, that's
>>> why the check did not notice this, and such a check is completely
>>> pointless. It led to a massive damage to my company, and since I was to
>>> deal with monitoring as well as TLS certificates, I had to move on to
>>> find a new job.
>>
>> I do not understand why a server certificate is valid longer than any of
>> the intermediate certificates. Has the COMODO intermediate certificate
>> been revoked or did it reach its valid date?
>>
>
> Hello Werner!
>
> It was a transition to anther signing root.
> PKI is a changing landscape.
> Google for COMODO 2020 cross-signing.

Hello Viktor,

so, the intermediate cert was valid when the change happened. How would
one monitor this change in advance?

Ithink, in such cases you have to be awake personally. You should have
gotten information beforehand, issued by COMODO. You should've had time
to renew and change the certificates. I do not see how to get monit to
warn you here.

Werner

--