This issue was highlighted on a number of IT news pages and blogs in the week or two prior to the issuing CA expiring. A decent CA should also have made contact with their customers.
We were also bitten by this issue as well, so I now have a shell script which checks all certificates in a chain for impending expiry. I'm happy to share if that would help anyone. Phil On Wed, 9 Dec 2020 at 10:57, Werner Flamme <werner.fla...@ufz.de> wrote: > Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor: > > Idézem/Quoting Werner Flamme <werner.fla...@ufz.de>: > > > >> Am 04.12.2020 um 16:52 schrieb rexkogit...@gmx.at: > >>> I configured monit to monitor the TLS certificate validity of all of > our > >>> highly productive websites. To all websites, the unnecessary full > >>> certificate (without root CA) was installed. However, on 30th of May > >>> 2020 one of the chain certificates (COMODO) ran out of its validity > >>> period. Obviously monit only checks for the server certificate, that's > >>> why the check did not notice this, and such a check is completely > >>> pointless. It led to a massive damage to my company, and since I was to > >>> deal with monitoring as well as TLS certificates, I had to move on to > >>> find a new job. > >> > >> I do not understand why a server certificate is valid longer than any of > >> the intermediate certificates. Has the COMODO intermediate certificate > >> been revoked or did it reach its valid date? > >> > > > > Hello Werner! > > > > It was a transition to anther signing root. > > PKI is a changing landscape. > > Google for COMODO 2020 cross-signing. > > Hello Viktor, > > so, the intermediate cert was valid when the change happened. How would > one monitor this change in advance? > > Ithink, in such cases you have to be awake personally. You should have > gotten information beforehand, issued by COMODO. You should've had time > to renew and change the certificates. I do not see how to get monit to > warn you here. > > Werner > > -- > > >