GOLFMK8
GOLFMK7
GOLFMK6
GOLFMKV

Security Certificate Expired

Status
Not open for further replies.

cb1111

Newbie
Location
Virginia, USA
There's two ways of getting an SSL certificate for use on a website:
1.) pay for a trusted one
2.) use a free one from Let's Encrypt that only lasts for 3 months at a time and hope that some janky backend script will work and auto refresh it each time.

Guess which path the owners of MK7 went? Snark aside, feel free to DM if you need help fixing this.


Good advice in general that everyone should practice. But has nothing to do with the lapsed SSL cert in this case.
Assuming that is all there is.
 

IWMTom

Autocross Newbie
There's two ways of getting an SSL certificate for use on a website:
1.) pay for a trusted one
2.) use a free one from Let's Encrypt that only lasts for 3 months at a time and hope that some janky backend script will work and auto refresh it each time.

Guess which path the owners of MK7 went? Snark aside, feel free to DM if you need help fixing this.


Good advice in general that everyone should practice. But has nothing to do with the lapsed SSL cert in this case.
A cert is a cert. If set up correctly, there's absolutely nothing wrong with Let's Encrypt.
 

swcrow

Autocross Champion
Location
Virginia
Car(s)
7.5 GTI
Dang it.... now I can’t access from Firefox from work laptop...,
 

beardedGTI

Ready to race!
Location
Louisville, KY
Car(s)
2017 GTI Sport 6mt
A cert is a cert. If set up correctly, there's absolutely nothing wrong with Let's Encrypt.
And what happened here? It wasn’t set up properly and the site was fubared for a few days. You get exactly what you pay for with LE which is the bare minimum. I would never use it for mission critical stuff.
 

IWMTom

Autocross Newbie
And what happened here? It wasn’t set up properly and the site was fubared for a few days. You get exactly what you pay for with LE which is the bare minimum. I would never use it for mission critical stuff.
And what exactly would happen if you didn't autorenew a paid cert? Literally the same thing...
The problem we're seeing here is bad management, nothing more, nothing less.
 
Last edited:

RudyH

Go Kart Champion
Location
Kitchener, ON
You can pay to auto renew a paid certificate, but you still have to update the appropriate web services with said certificate.
Beginning in September 2020, SSL certs are only allowed to last 398 days. Often companies were taking out 3-5 yr certs and thought they would be good for that period of time, but browsers will not accept it neither.

That said, if you look at the certificate, it is as mentioned by beardedGTI, a free 'Let's Encrypt' certificate - so first step would be for someone to work on putting reminders in their calendar, because regardless you are going to need to renew them.

Before we get all worked up, I am sure this site is a hobby and not a mission critical site. What do you expect you are getting from a free service / site?
 

IWMTom

Autocross Newbie
You can pay to auto renew a paid certificate, but you still have to update the appropriate web services with said certificate.
Beginning in September 2020, SSL certs are only allowed to last 398 days. Often companies were taking out 3-5 yr certs and thought they would be good for that period of time, but browsers will not accept it neither.

That said, if you look at the certificate, it is as mentioned by beardedGTI, a free 'Let's Encrypt' certificate - so first step would be for someone to work on putting reminders in their calendar.

Before we get all worked up, I am sure this site is a hobby and not a mission critical site. What do you expect you are getting from a free service / site?
I expect basic security housekeeping to be kept in order.

We're all grateful for the site, but that doesn't excuse letting the cert expire.

There's plenty of engineers on this forum that would be more than happy to help out, myself included.
 

IWMTom

Autocross Newbie
You might be out of luck, corporations like Microsoft don't even have basic security housekeeping...then you got companies like SolarWinds...again don't get so worked up, can avoid the site till they fix it.
No need to avoid; the expired cert isn't really a security issue. Data is still encrypted.

It's still disappointing to see though; big scary messages telling you that things aren't secure tend to scare people off or send them into panic mode unduly.
 

absoluteczech

GolfMKV ADMlN
Location
SoCal
Car(s)
981 Cayman & GTI SE
No need to avoid; the expired cert isn't really a security issue. Data is still encrypted.

It's still disappointing to see though; big scary messages telling you that things aren't secure tend to scare people off or send them into panic mode unduly.
exactly it just means the data transmitted across the site is not protected. however if the website was compromised or there was a man in the middle attack, a hacker could get your login credentials when trying to login to an unsecure website or site with an expired cert. but then again i never use important passwords for forums anyways. as @IWMTom mentioned its clear the admins or whoever run the page clearly arent always present :(
 

IWMTom

Autocross Newbie
exactly it just means the data transmitted across the site is not protected. however if the website was compromised or there was a man in the middle attack, a hacker could get your login credentials when trying to login to an unsecure website or site with an expired cert. but then again i never use important passwords for forums anyways. as @IWMTom mentioned its clear the admins or whoever run the page clearly arent always present :(
An expired cert still continues to operate in the same way as an in date cert. It just produces nasty warnings.
 

absoluteczech

GolfMKV ADMlN
Location
SoCal
Car(s)
981 Cayman & GTI SE
An expired cert still continues to operate in the same way as an in date cert. It just produces nasty warnings.
you sure? i was always under the impression that if a bound cert was expired then it had no benefits and was essentially running http vs https
 

sterkrazzy

Autocross Champion
Location
United States
Car(s)
Turbo. Blue.
Someone pointed out the domain expires later this month too. Can't say I expect them to renew it before that happens.
 

absoluteczech

GolfMKV ADMlN
Location
SoCal
Car(s)
981 Cayman & GTI SE
Quite sure, yes.

The transmission of data from client to server and back is still encrypted.
ah ok, i've always had it wrong then :p
 
Status
Not open for further replies.
Top