Ask HN: What is going on with SSL certs?
I'm suddenly getting SSL errors from unrelated services we use. For example status.algolia.com, Pingdom and others. See this thread: https://news.ycombinator.com/item?id=23362759 One of the AddTrust root certificates has just expired. This is the certificate: https://crt.sh/?id=1 This certificate was originally deployed some 20 years ago and expired today. There will be servers out there configured with certificate chains that terminate with this particular root. I've also seen some expired intermediates as well. In theory, this shouldn't be a problem. Clients with modern PKI stacks should be able to deal with the expiration by using path building to find trust paths that are still valid, but there appears to be a long tail of clients that don't handle this situation well. If you've received a notification from a monitoring platform and the leaf certificate is still valid, the notification is likely to be a false positive. I got one of those. You should probably be able to neutralise the false positives by reconfiguring your servers with a different chain, one that terminates with a still-valid root. Don't include the expired root in the chain. You should do this for maximum compatibility with old clients also. Came here to say it is happening by on our end too. Received a lot of expired ssl cert notifications, but cannot reproduce it. Currently trying to understand why this is happening. At first sight seems a glitch. You are either sending and explicitly trusting a full chain up to AddTrust, or something of the sort. Or you might still have expired AddTrust in your ca-certificates bundle. I haven't seen this issue reproducible in any modern browser, but it's been annoying with explicitly-defined trust stores in some old apps. we are also facing sudden ssl issues