Expired certificate on hosted version of aeternal.io

Hi,

https://mainnet.aeternal.io/ responds sometimes with this certificate:

-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgISA1A7BfhtG5Tl+xP5+ZPRziX6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAzMTgxMjMxMzhaFw0y
MDA2MTYxMjMxMzhaMBYxFDASBgNVBAMTC2FldGVybmFsLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0tkDiRAM/eekCaM0FISNKwY21v8bi7E3kTdY
vQmYV7lvXRXuOG0YRcYhqp/wJUYXTPqeSTif5ubRCMn+2Z8jbjcWUALm2DywcNbZ
NYd2zrekyjr6UkEgbDblaRzCF+NotmxjTLEAEh4ZSneKb4gCDUnVT0lsuR2MxuNj
wDXjDvJWQ8KcPhiN6beTq6E2V8hRFnEinoU4KQ8bljKAHXVd2ojmXXkJ/OMDaKsL
6IGbyd9qBgvZ5RjNw3mS4nbC48AmAZ5V64FKFpRbgyagi9vlYsEnxKnAedqJezqL
XMjDP6Bt5EaS8NeEhrAzq2cVYCkkoSm+FupEhk1lmJUb1Bb/pwIDAQABo4IC1zCC
AtMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ9s2Zwr4ZqYImj+BPiMU3B7asBHjAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MIGLBgNVHREEgYMwgYCCC2FldGVybmFsLmlvghNiYWNrdXBzLmFldGVybmFsLmlv
ghNtYWlubmV0LmFldGVybmFsLmlvghhub2RlLm1haW5uZXQuYWV0ZXJuYWwuaW+C
GG5vZGUudGVzdG5ldC5hZXRlcm5hbC5pb4ITdGVzdG5ldC5hZXRlcm5hbC5pbzBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB2AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABcO3XqKcA
AAQDAEcwRQIgKDA8Qd+zuJfzeiG5HpqO1CUSPmE9aw8LDYdgTGHXe2YCIQCnyo9f
fTrNtcZpIFNxOMgBU/cSwo7+K7iuUQAbuYjHkAB3AG9Tdqwx8DEZ2JkApFEV/3cV
HBHZAsEAKQaNsgiaN9kTAAABcO3XqdgAAAQDAEgwRgIhAIwhEUF9oHrfcGF+czLQ
/JDQL2V82k1fyj30lZstBLwJAiEA/94pP01L87+IZ5p7A8hui8v76de/VG2HnpA5
4aNO0m8wDQYJKoZIhvcNAQELBQADggEBAGQqnJpAkpOh5VXIPS7gufxvJe071E0e
w9HC5fynXsXq7CPuIvjQxKJJP5QfmtJ3hdl7dN5tkGz5e8ZC3THJ5DYmznRys1kU
WTw1vm1wdOPyIxlHgKyNXE1HalluFdosUc36R8RZ2lrL20BAE21sYZ1tW4t719kN
BmX/k7stoOQWJ5MRSjQWY6dTwrrcAtsR0cBvSvOkWCX6QI8NFXY4eZ90hNN9JZXY
hEqd2MKib5NgggE43B8/oHosG2J42yxKSoWGVFVJcj4m0zU/iou4duCL8naaeYZP
cW5NVJ0/PQbkwae+7XUs8ojs+jK+e2eklwW+wWlDJcgIDwRFjZlOeU8=
-----END CERTIFICATE-----

~> certtool --certificate-info
...
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 03503b05f86d1b94e5fb13f9f993d1ce25fa
        Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
        Validity:
                Not Before: Wed Mar 18 12:31:38 UTC 2020
                Not After: Tue Jun 16 12:31:38 UTC 2020
...

I would say once in about 10 tries I’m receiving that expired cert:

~> for i in (seq 1 20); curl -s https://mainnet.aeternal.io/robots.txt -o /dev/null -w 'ip: %{remote_ip}, ssl verify: %{ssl_verify_result}\n'; sleep 2; end
ip: 195.201.174.46, ssl verify: 10
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 10
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 0
ip: 195.201.174.46, ssl verify: 0
...

I think @dincho.chain is already on it.

Hi, thanks for reporting.

I was able to reproduce it. It was weird issue, my blind shot would be that the certificate was auto-renewed yesterday and certbot is doing apache reload instead of restart, which left a cached old certificate in the master process. I just did restart and that seems so solve it for me, I’m not able to reproduce it anymore.

Could you please try to reproduce it again on your end?

Again, thanks for the detailed report, I really appreciate it.

Also, please use https://mainnet.aeternity.io instead.

Hello :).

I would like to report that this issue has occurred again - it seems that once every couple connections I’m getting response with expired certificate (only for *.aeternal.io version).

For *.aeternity.io version once every couple requests I’m getting 502 from cloudfront - if I had to guess it uses the same backend. Although it is a lot harder to reproduce on the *.aeternity.io version. I have managed to catch one 502 from cloudfront with firefox, after multiple tries.

2020-10-15-135853_maim1900×998 57 KB

Thank you for maintaining aeternal and keeping that public instance alive, it makes interacting with aeternity blockchain a lot easier (in comparison to other blockchains).

I guess cc @karol.chain