The certificate was signed by two Root CAs, a process called 'cross-signing'.
One Issuing/Intermediate CA certificate had an expiration date prior to the subject certificate's expiration date, which is what caused these issues.
In a 'normal' situation, if a certificate is only being signed by a single Root CA, the you could expect the subject certificate not to expire after it's Root. This isn't the case for cross-signed certs, or for certs issued by unscrupulous CAs.
The reason for cross-signing is to get the subject certificate to be trusted on as wide a range of devices and browsers as possible. Many older devices, especially Android devices and embedded devices do not have an up-to-date list of Trusted Root Certificates. By cross-signing a subject certificate with an older Root CA cert that is present in those out-dated Root Cert Stores then a Certificate Authority can offer a wider range of compatibility.
The 'fix' in this case was to swap the expired Issuing CA cert out of the certificate chain on the affected web servers. This forced modern browsers to read the certificate path that was still valid, rather than falling back to the path with the expired CA certificate. This, of course, came at the cost of losing Trusted status on older devices - but better to drop those older devices than be down for everyone.
Hope that helps, happy to provide more info if needed!
Best,
Phil
Am 10.12.2020 um 12:53 schrieb Phil Townes:
> This issue was highlighted on a number of IT news pages and blogs in the
> week or two prior to the issuing CA expiring. A decent CA should also have
> made contact with their customers.
>
> We were also bitten by this issue as well, so I now have a shell script
> which checks all certificates in a chain for impending expiry. I'm happy
> to share if that would help anyone.
Sorry, I still don't get it. How can a certificate in the chain expire
before the "last" certificate (for the server) expires? That means that
a CA signs customer certificates for a longer period than their own
certificate is valid. Can this happen? I never saw this with mine. Their
validity was shortened due to the limited validity of the CA's certificate.
Werner
>
> On Wed, 9 Dec 2020 at 10:57, Werner Flamme <werner.flamme@ufz.de> wrote:
>
>> Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor:
>>> Idézem/Quoting Werner Flamme <werner.flamme@ufz.de>:
>>>
>>>> Am 04.12.2020 um 16:52 schrieb rexkogitans@gmx.at:
>>>>> I configured monit to monitor the TLS certificate validity of all of
>> our
>>>>> highly productive websites. To all websites, the unnecessary full
>>>>> certificate (without root CA) was installed. However, on 30th of May
>>>>> 2020 one of the chain certificates (COMODO) ran out of its validity
>>>>> period. Obviously monit only checks for the server certificate, that's
>>>>> why the check did not notice this, and such a check is completely
>>>>> pointless. It led to a massive damage to my company, and since I was to
>>>>> deal with monitoring as well as TLS certificates, I had to move on to
>>>>> find a new job.
>>>>
>>>> I do not understand why a server certificate is valid longer than any of
>>>> the intermediate certificates. Has the COMODO intermediate certificate
>>>> been revoked or did it reach its valid date?
>>>>
>>>
>>> Hello Werner!
>>>
>>> It was a transition to anther signing root.
>>> PKI is a changing landscape.
>>> Google for COMODO 2020 cross-signing.
>>
>> Hello Viktor,
>>
>> so, the intermediate cert was valid when the change happened. How would
>> one monitor this change in advance?
>>
>> Ithink, in such cases you have to be awake personally. You should have
>> gotten information beforehand, issued by COMODO. You should've had time
>> to renew and change the certificates. I do not see how to get monit to
>> warn you here.
>>
>> Werner
>>
>> --
>>
>>
>>
>
--
Werner Flamme, Abt. WKDV
SAP Certified Technology Associate for NetWeaver/Oracle
Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
Permoserstr. 15 - 04318 Leipzig / Germany
Tel.: +49 341 235-1921 - Fax +49 341 235-451921
Information nach §§ 37a HGB, 35a GmbHG:
Sitz der Gesellschaft: Leipzig
Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
Vorsitzender des Aufsichtsrats: MinDirig'in Oda Keppler
Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
Administrative Geschäftsführerin: Dr. Sabine König