Comments & Opinions

Hurry Hup and Wait!

Ok, I'll write it here that I have no interest in writing somewhere else.

So, in my pool of "responsability" there is also the management and handling of a number of SSL Certificates, that need to be replaced when they are approaching the expiration date. The task is helped by the use of some monitoring tool that send me a mail when a certificate has only about 30 days left before expiration. That way I can have a look and decide what to do.

In most cases the whole thing turns into requesting a new certificate, eventually go to the Finance Dep asking for money to pay it, and once received it simply do the normal clickety-click dance to put it where it needs to be. All this normally doesn't take more than 10 minutes.

However, sometimes the cert neeed also to be installed on one or more firewalls, and those are normally under the responsability of our Networking Department.

Now, I am not a great fan of "segmentation", but I also understand that if some stuff is manipulated by a bit too many peoples, figuring out who did what and why can become quite challenging, and when a firewall gets f*ed, is better if there is a "responsible" person nearby that you can throw to the wolves.

In those cases (firewall or such under Networking), what I do is to follow the procedure: open a ticket, usually CCed to the person I know that knows what to do and how. In most cases, that person is actually doing nothing so the ticket is taken care of immediately and everything is done in about 10 minutes. As it should always be. But sometimes, the ticket is grabbed by the "Change Manager" and at that point I can be sure that a 10 minute job will become a 10 days slog.

So, when at the beginning of November (NOVEMBER), I got the mail that "*.somethingsomething.nl" will expire on 15 December (DECEMBER), I didn't worried too much. I did my part, got the new cert and installed wherever I could. But this is one of those cases when part of the "services"  are goint through a firewall that also does SSL offloading.

I made my ticket and specified that "it would be better to do the replacement BEFORE the end of November, since some peoples have issues in doing changes in December".

After that, I didn't heard anything. Until Thursday 27 November, when one of our Network guys (Networkist? Networkanist?) asked what the fuck that was. I simply replied that it is a dumb firewall and what it needs to be done is to get the certificate, eventually prepare the corresponding chain, upload the whole stuff on the firewall using the web interface, then go through the list of services and "attach" the certificate, still via the web interface.

Now, I have an account on the firewall, but is a read-only one, so I can see stuff, but not do much. And if you're asking yourself why (and if you aren't asking I'll tell you anyway because that's the way), I got that account so I can check in the logs when peoples complains they can't do stuff.

At that point however, I asked what the heck happened to that request, that IMHO shouldn't take more than 10 minutes. The answer was that it got delayed because other issues and it was scheduled for the Friday 28. Friday that is also the last working day of November. And yes, it is, TECHNICALLY, before the end of November... but.. meh.

Anyway, Friday I had other things in my mind and didn't looked at that, in fact I completely forgot about it until today, Wednesdat 3 December (that is AFTER the month of November), when I got in the office and found out a bunch of mail of peoples that couldn't connect with the system anymore.

I got a bit worried: that system is using a couple of Storages that are really old and both of them (prod and backup) have a couple of broken disks and there is no way to get new disks anymore. We're working to replace both storages with something... less old... and still functional, but nothing is ever simple when Storage is involved. So I was worried that one of them was gone to pasture, but no, the problem was some issue in accessing services like SMTP and IMAP.

But somebody pointed out that if they use "pop.somethingsomething" instead of "smtp.somethingsomething" it works. And that pointed me on something, because "pop" doesn't point to the firewall but to a proxy server that is under my management, while "smtp" goes to the firewall. And yes, you can use "pop" to connect to the "smtp" service, just use the correct port number.

A quick check tells me that the service works, and the firewall returns the new certificate, but instead of the normal certificate chain, it returns 3 copies of the same certificate. So something went wrong during the installation. Installation that happened at 17.30 on Tuesday. Of course.

At this point I grabbed the "standby" person and told him to fallback on the old certificate that I know it works. And then we'll see what the heck happend.

It turned out that the "change manager" got worried that the thing went beyond the specified time and decided that the best thing to do was to toss it on the top of the pil. Unfortunately, on Tuesday a lot of things got tossed on the top of the pile, and who was trying to dig his way out of the pile did the job quickly, way too quickly, at 17.30 before leaving and didn't checked anything (a common "openssl s_client" would have showed the issue).

Then, since everybody was looking interestedly at the tip of their own shoes, I asked "why THE FUCK cannot I get a full account on that FUCKING firewall so I can do these kind of stuff by myself that is also faster".
 

Davide Bianchi
03/12/2025 10:19

Comments are added when and more important if I have the time to review them and after removing Spam, Crap, Phishing and the like. So don't hold your breath. And if your comment doesn't appear, is probably becuase it wasn't worth it.

---

By Marco posted 03/12/2025 11:58 - replyreply

---

@ Marco By Davide Bianchi posted 04/12/2025 09:35 - replyreply

---

By gabriel pappalardo posted 03/12/2025 13:36 - replyreply

---

@ gabriel pappalardo By Davide Bianchi posted 04/12/2025 09:37 - replyreply

---

By Anonymous coward posted 04/12/2025 08:54 - replyreply

---

@ Anonymous coward By Davide Bianchi posted 04/12/2025 09:37 - replyreply

---

@ Davide Bianchi By Torre posted 04/12/2025 10:14 - replyreply

---

@ Torre By Davide Bianchi posted 04/12/2025 11:56 - replyreply

---

@ Davide Bianchi By Anonymous coward posted 05/12/2025 09:23 - replyreply

---

By Riccardo Bisleri posted 04/12/2025 17:17 - replyreply

---

By Massimo M. posted 05/12/2025 12:17 - replyreply

---

@ Massimo M. By JaM posted 10/12/2025 10:10 - replyreply

---

By Messer Franz posted 12/12/2025 10:57 - replyreply

---

@ Messer Franz By Davide Bianchi posted 17/12/2025 07:13 - replyreply

---

@ Davide Bianchi By Messer Franz posted 03/01/2026 20:06 - replyreply

---

Previous Next

This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.