45 SSL/TLS Certificate Jokes Every Sysadmin Has Lived

The certificate expired at 3:47 a.m. Saturday. The page that says "NET::ERR_CERT_DATE_INVALID" was the first to know.

"Did you renew the cert?" "I thought certbot did that automatically." "I thought you did that manually." Nobody renewed the cert.

There are two kinds of engineers: The ones with calendar reminders for certificate renewals, and the ones writing post-mortems.

"The site is broken." The cert expired 14 minutes ago and the customer beat the monitoring to the alert.

Self-signed certificates work great until they don't, which is immediately.

"Why does the browser say `not secure`?" Because one image on the page loads over http and you have invalidated the entire ceremony.

I have renewed this certificate so many times the CA sends me a holiday card.

The wildcard cert covers `*.example.com`. It does not cover `*.api.example.com`. Learning this in production was character-building.

"Just add the cert." Which cert. There are 12 in this bundle. None are dated this decade.

Let's Encrypt rate-limited me at 4 a.m. for trying to issue the same cert seven times in a row. I was the threat actor. I was the only threat actor.

"Use HSTS." Great. I have just told every browser to remember this domain is HTTPS forever and I cannot test on staging anymore.

The chain is incomplete. The browser is fine with it. Mobile Safari is not. This is a normal Tuesday.

"What's the difference between SSL and TLS?" Nothing anyone has time to explain at 9:47 on a Friday.

An expired certificate is the only outage that the marketing team also notices.

"Why is the API call failing?" Because the client does not trust the CA that signed the server's cert. Both teams blame each other for a week.

I have a folder called `certs` with 17 PEM files. Four are expired. Three are duplicates. One is a private key labeled as a cert. The chain of custody is gone.

"Certbot should handle this." Certbot tried. The webroot challenge failed because the proxy in front of Nginx does not pass `.well-known` requests through.

DV, OV, EV — the certificate types are an alphabet of how-much-did-you-pay.

The CN field is deprecated. The SAN field is required. I did not get the memo and shipped a cert without SANs in 2018. The ticket is still open.

"It works locally because my browser trusts my self-signed root CA." It will not work for anyone else. Ever.

The wildcard cert is on five different servers. Four of them got rotated. One did not. Guess which one is in the path for the load balancer.

"Why is the cert valid for one day?" Because you let certbot retry after the rate limit reset and now it issued a fresh one that you have to renew tomorrow.

An OCSP responder going down is the kind of outage where half the internet works and the other half does not, and nobody can explain why to a non-technical manager.

"We can pin the cert in the mobile app." Three months later: "we cannot rotate the cert."

TLS 1.2 is fine. TLS 1.3 is better. The legacy partner integration speaks SSL 3.0 and the contract was signed in 2009.

The certificate is valid. The time on the server is wrong. The certificate is no longer valid.

"Why did the cert renewal fail?" Because your DNS provider rate-limited the ACME challenge, and you only find this out by reading the certbot log line 4,400.

I once issued a certificate for the wrong domain. The right domain went down. The wrong domain has never been more secure.

"Cert pinning is a security feature." It is, until it is also the reason your app cannot reach your own API.

The chain has three certificates. The server is sending two. The client only trusts the root. Browsers patch over this. Curl does not. cURL on a CI runner especially does not.

"How long is your cert valid?" We used to say two years. Then one year. Soon 90 days. Soon, weekly. Soon, just rotate every git commit.

Reading the X.509 spec is a journey one does not return from unchanged.

"Why does my browser show the lock icon as broken?" The cert is fine. The image loaded over http. One pixel, one decade of work.

An SSL outage on the marketing site is a cause for panic. An SSL outage on the internal Jenkins is a cause for celebration.

"We bought an EV certificate." The browser no longer shows the green bar. The money was for the feeling.

I have a script called `renew-certs.sh`. It has not been run since 2019. It would not work now. It is the only renewal documentation we have.

"Use Let's Encrypt." The corporate proxy blocks ACME endpoints. We are back to a $400 cert from a vendor whose website has Comic Sans on it.

The wildcard cert and the wildcard DNS record agreed on what `*` meant for three years. Then one of them changed and only the cert got the message.

"Add the cert to the trust store." Which trust store. There are four on this machine and the JVM has its own.

I learned about HPKP the year it was deprecated. I also learned about HPKP the year someone pinned the wrong key and bricked their domain for 60 days.

The expired-certificate warning page is the single most-seen interstitial in the history of computing.

"It's just one curl command." The curl command needs the CA bundle, the cert, the key, the intermediate chain, the right TLS version, and the right SNI hostname. One command.

Cert rotation went smoothly. Cert rotation never goes smoothly. One of these statements is false.

"The cert expires next week." The ticket sits in the backlog. "The cert expired today." The ticket becomes a war room.

Half of security is just remembering to renew the certificate.