Feeds

back to article Doh! Sage Pay forgets to renew SSL certificate

Customers logging into "secure and efficient payment service" Sage Pay this morning were served up an error message saying that the site could not be trusted, and didn't have a valid security certificate. SSL certificate error message, credit: screengrab Looks like someone forgot to renew the site's SSL certificate – which …

COMMENTS

This topic is closed for new posts.

To be fair the live.sagepay.com domain, which processs all payments, is under a different certificate, so this would have only affected their portal.

2
0

someone outside the company

outsourcing gives you someone to blame whose training you are not responsible for

6
0
Anonymous Coward

How can it possible have "no effect on our customers"? Are they suggesting that their customers should ignore failed certificate validation?

7
1
Silver badge
FAIL

> Are they suggesting that their customers should ignore failed certificate validation?

Yes!

Please type in your password here: _

Stupidity training at its best.

0
1
FAIL

Read Jeff's comment.

1
0
Bronze badge

ah, load balancers

Especially ones not managed by the same folks that manage the webservers themselves.

This raises a question to which I'd appreciate frank, brutal or even silly answers: If you have load balancers and provide SSL connections, do you use the same CA-issued certificate on both your load balancers and your backend web servers? Or do you only install the CA-issued certificate on your load balancers and use internal-CA-signed certificates internally? The downside being having to manage additional certificates, and the upside being that your internal certificates can be issued for 10 years and as long as they don't all expire on the same day, while you may run degraded for 30 minutes if one of your servers is taken out of the pool, you won't go down hard.

1
1
Linux

Re: ah, load balancers

Typically you'd just install the certificate on the reverse proxies (acting as both load balancers and failover) and then skip SSL encryption between the reverse proxies and application servers since you are already inside a closed network, usually just transfering TCP packages between the DMZ and application server network through the firewall. This saves the SSL encryption overhead and enables you to geek away with content caching options on the RP's as well.

0
0
Facepalm

Ah, that ol' chestnut...the third party supplier was it? Yeeeeesssss, of course it was.

0
0
FAIL

It is minor issue, which has no impact on our customers.

WTF - not trading has a massive impact on their customers, perhaps they forget who their customers are and who makes them their money

0
0
Bronze badge
Devil

What?

What? Money comes from customers?

0
0
Bronze badge
Devil

What?

What? Money comes from customers?

Surely money is generated through procedures!

1
0
Joke

Wait for it

A wise Sage once said.....

0
0

They're not the only ones with certificate issues just now

https://o2email.co.uk/html?brand=o2mailuk

0
0

nagios check

I run a nagios check which tells me how many days remain on my SSL certificate on any particular host.

0
1
FAIL

Sweet Dreams

Just what I want my customers receiving, the good old "Abandon All Hope Ye Who Enter" page.

0
0
Anonymous Coward

> We currently have a valid and in-date SSL certificate and are working with our hosting company to replace the expired certificate on our site.

Valid Since: 26/04/2012 00:00:00 GMT

Well, yeah, sure, you renewed the certificate in advance and just forgot to install it.

0
0
This topic is closed for new posts.