Re: The day I lost my job due to monit

[Werner Flamme]

Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor:
> Idézem/Quoting Werner Flamme <werner.flamme@ufz.de>:
>
> > Am 04.12.2020 um 16:52 schrieb rexkogitans@gmx.at:
> > > I configured monit to monitor the TLS certificate validity of all of our
> > > highly productive websites. To all websites, the unnecessary full
> > > certificate (without root CA) was installed. However, on 30th of May
> > > 2020 one of the chain certificates (COMODO) ran out of its validity
> > > period. Obviously monit only checks for the server certificate, that's
> > > why the check did not notice this, and such a check is completely
> > > pointless. It led to a massive damage to my company, and since I was to
> > > deal with monitoring as well as TLS certificates, I had to move on to
> > > find a new job.
> >
> > I do not understand why a server certificate is valid longer than any of
> > the intermediate certificates. Has the COMODO intermediate certificate
> > been revoked or did it reach its valid date?
>
> Hello Werner!
>
> It was a transition to anther signing root.
> PKI is a changing landscape.
> Google for COMODO 2020 cross-signing.

Hello Viktor,

so, the intermediate cert was valid when the change happened. How would 
one monitor this change in advance?

Ithink, in such cases you have to be awake personally. You should have 
gotten information beforehand, issued by COMODO. You should've had time 
to renew and change the certificates. I do not see how to get monit to 
warn you here.

Werner

--

smime.p7s
Description: S/MIME Cryptographic Signature