Online Issue - HTTPS Certificate Error
Recently, the operations team reported that our production System A login failed. Login failure is a major issue, and the business team almost directly escalated it to P1 - the highest priority bug that must be resolved within 2 hours. The situation was quite tense and serious…
I went to check and found the prompt indicated an insecure connection. Generally, HTTPS connection insecurity can have two possible causes:
- Certificate expired
- Certificate not applicable
After checking the certificate, I found that indeed, the certificate was for *.lenovomm.com
, but our system was a.lenovo.com
, so it was clearly a certificate error. Finally contacted the relevant responsible person. After diagnosis, it was explained that the issue was caused by certificate expiration and manual update errors, so it was quickly fixed and resolved.
Although the incident was resolved, there are several key points worth summarizing here. At least similar problems can be avoided in the future, and it’s necessary to understand these concepts.
Certificate Validity Period
HTTPS certificates don’t have 10-year validity periods. The maximum validity period is one year, so re-signing is inevitable.
Automated Operations
Certificate updates are repetitive manual labor. Automation is essential, as manual operations inevitably lead to errors.
HTTPS Certificate Caching
When the problem occurred, one colleague said their computer was fine. WHY? Because they still had the previous certificate installed. After all, HTTPS certificate invalidation validation takes time - if you refresh, it will notify you that the new certificate has failed.
Wildcard Certificates
- A wildcard certificate like
*.lenovo.com
will support any second-level domain sites under lenovo, but third-level domains won’t be supported and require separate certificate issuance - Wildcard certificates reduce certificate issuance costs, but if the certificate fails, it could potentially cause problems for more than one site. So it has both advantages and disadvantages, and requires extra caution when using.
- A wildcard certificate like
Chrome/Firefox HTTPS Security Warnings
Previously, if it was insecure, you could still continue to access, but now that option is no longer available.