[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The day I lost my job due to monit

From: Werner Flamme
Subject: Re: The day I lost my job due to monit
Date: Fri, 11 Dec 2020 09:56:53 +0100
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

Am 10.12.2020 um 12:53 schrieb Phil Townes:
> This issue was highlighted on a number of IT news pages and blogs in the
> week or two prior to the issuing CA expiring.  A decent CA should also have
> made contact with their customers.
> We were also bitten by this issue as well, so I now have a shell script
> which checks all certificates in a chain for impending expiry.  I'm happy
> to share if that would help anyone.

Sorry, I still don't get it. How can a certificate in the chain expire
before the "last" certificate (for the server) expires? That means that
a CA signs customer certificates for a longer period than their own
certificate is valid. Can this happen? I never saw this with mine. Their
validity was shortened due to the limited validity of the CA's certificate.


> On Wed, 9 Dec 2020 at 10:57, Werner Flamme <> wrote:
>> Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor:
>>> Idézem/Quoting Werner Flamme <>:
>>>> Am 04.12.2020 um 16:52 schrieb
>>>>> I configured monit to monitor the TLS certificate validity of all of
>> our
>>>>> highly productive websites. To all websites, the unnecessary full
>>>>> certificate (without root CA) was installed. However, on 30th of May
>>>>> 2020 one of the chain certificates (COMODO) ran out of its validity
>>>>> period. Obviously monit only checks for the server certificate, that's
>>>>> why the check did not notice this, and such a check is completely
>>>>> pointless. It led to a massive damage to my company, and since I was to
>>>>> deal with monitoring as well as TLS certificates, I had to move on to
>>>>> find a new job.
>>>> I do not understand why a server certificate is valid longer than any of
>>>> the intermediate certificates. Has the COMODO intermediate certificate
>>>> been revoked or did it reach its valid date?
>>> Hello Werner!
>>> It was a transition to anther signing root.
>>> PKI is a changing landscape.
>>> Google for COMODO 2020 cross-signing.
>> Hello Viktor,
>> so, the intermediate cert was valid when the change happened. How would
>> one monitor this change in advance?
>> Ithink, in such cases you have to be awake personally. You should have
>> gotten information beforehand, issued by COMODO. You should've had time
>> to renew and change the certificates. I do not see how to get monit to
>> warn you here.
>> Werner
>> --

Werner Flamme, Abt. WKDV
SAP Certified Technology Associate for NetWeaver/Oracle

Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
Permoserstr. 15 - 04318 Leipzig / Germany
Tel.: +49 341 235-1921 - Fax +49 341 235-451921

Information nach §§ 37a HGB, 35a GmbHG:
Sitz der Gesellschaft: Leipzig
Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
Vorsitzender des Aufsichtsrats: MinDirig'in Oda Keppler
Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
Administrative Geschäftsführerin: Dr. Sabine König

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]