Smarty incident

TLS Certificate Validity

Minor Resolved View vendor source →

Smarty experienced a minor incident on May 30, 2020 affecting US East 1 and US East 1 and 1 more component, lasting 4h 7m. The incident has been resolved; the full update timeline is below.

Started
May 30, 2020, 04:40 PM UTC
Resolved
May 30, 2020, 08:48 PM UTC
Duration
4h 7m
Detected by Pingoru
May 30, 2020, 04:40 PM UTC

Affected components

US East 1US East 1US West 1US West 1US Central 1US Central 1US East 1US East 1US West 1US West 1

Update timeline

  1. investigating May 30, 2020, 04:35 PM UTC

    We are investigating reports of users receiving TLS certificate validity errors.

  2. investigating May 30, 2020, 04:40 PM UTC

    A preliminary analysis appears to show that this is affecting systems which are using an older "root certificate". We are researching the best way to help users mitigate the issue. There appear to be other reports about this on other services as well: https://security.stackexchange.com/questions/232445/https-connection-to-specific-sites-fail-with-curl-on-macos/232448#comment475027_232446

  3. identified May 30, 2020, 06:19 PM UTC

    The TLS certificate we are using is based upon a cross-signed root certificate issued by Comodo. One of the trust pathways expired at around 7:00AM Eastern Time today. The expired trust pathway has been mitigated in modern and updated software systems including web browsers and operating systems. A handful of clients using older (often unmaintained or unsupported) operating systems and versions including RedHat Linux 4.x or old versions of libcurl and OpenSSL) have been experiencing connectivity issues because updates to root certificates were not available on these older systems. As a mitigating effort, we identified a third possible trust pathway that many of these older clients might be able to utilize with our cross-signed certificate and we added the appropriate intermediate certificates in the chain in order to allow that alternate pathway to be utilized so long as the additional certificate authority (AAA Certificate Services, expiration 2028) is trusted by the system. For clients that continue to experience ongoing TLS connectivity issues, the only other possible alternative at this point is to manually add the newer version of the AddTrust Certificate Authority to your system "trust store" location: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 For additional information on the certificate chain, please utilize the SSL Labs report found here: https://www.ssllabs.com/ssltest/analyze.html?d=api.smartystreets.com&hideResults=on

  4. monitoring May 30, 2020, 06:22 PM UTC

    A fix has been implemented and we are monitoring the results.

  5. resolved May 30, 2020, 08:48 PM UTC

    This incident has been resolved.