Re: The day I lost my job due to monit

[Werner Flamme]

Am 10.12.2020 um 12:53 schrieb Phil Townes:
> This issue was highlighted on a number of IT news pages and blogs in the
> week or two prior to the issuing CA expiring.  A decent CA should also have
> made contact with their customers.
> 
> We were also bitten by this issue as well, so I now have a shell script
> which checks all certificates in a chain for impending expiry.  I'm happy
> to share if that would help anyone.

Sorry, I still don't get it. How can a certificate in the chain expire
before the "last" certificate (for the server) expires? That means that
a CA signs customer certificates for a longer period than their own
certificate is valid. Can this happen? I never saw this with mine. Their
validity was shortened due to the limited validity of the CA's certificate.

Werner

> 
> On Wed, 9 Dec 2020 at 10:57, Werner Flamme <werner.flamme@ufz.de> wrote:
> 
>> Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor:
>>> Idézem/Quoting Werner Flamme <werner.flamme@ufz.de>:
>>>
>>>> Am 04.12.2020 um 16:52 schrieb rexkogitans@gmx.at:
>>>>> I configured monit to monitor the TLS certificate validity of all of
>> our
>>>>> highly productive websites. To all websites, the unnecessary full
>>>>> certificate (without root CA) was installed. However, on 30th of May
>>>>> 2020 one of the chain certificates (COMODO) ran out of its validity
>>>>> period. Obviously monit only checks for the server certificate, that's
>>>>> why the check did not notice this, and such a check is completely
>>>>> pointless. It led to a massive damage to my company, and since I was to
>>>>> deal with monitoring as well as TLS certificates, I had to move on to
>>>>> find a new job.
>>>>
>>>> I do not understand why a server certificate is valid longer than any of
>>>> the intermediate certificates. Has the COMODO intermediate certificate
>>>> been revoked or did it reach its valid date?
>>>>
>>>
>>> Hello Werner!
>>>
>>> It was a transition to anther signing root.
>>> PKI is a changing landscape.
>>> Google for COMODO 2020 cross-signing.
>>
>> Hello Viktor,
>>
>> so, the intermediate cert was valid when the change happened. How would
>> one monitor this change in advance?
>>
>> Ithink, in such cases you have to be awake personally. You should have
>> gotten information beforehand, issued by COMODO. You should've had time
>> to renew and change the certificates. I do not see how to get monit to
>> warn you here.
>>
>> Werner
>>
>> --
>>
>>
>>
> 

-- 
Werner Flamme, Abt. WKDV
SAP Certified Technology Associate for NetWeaver/Oracle

Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
Permoserstr. 15 - 04318 Leipzig / Germany
Tel.: +49 341 235-1921 - Fax +49 341 235-451921

Information nach §§ 37a HGB, 35a GmbHG:
Sitz der Gesellschaft: Leipzig
Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
Vorsitzender des Aufsichtsrats: MinDirig'in Oda Keppler
Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
Administrative Geschäftsführerin: Dr. Sabine König

smime.p7s
Description: S/MIME Cryptographic Signature