back to article Doh! Sage Pay forgets to renew SSL certificate

Customers logging into "secure and efficient payment service" Sage Pay this morning were served up an error message saying that the site could not be trusted, and didn't have a valid security certificate. SSL certificate error message, credit: screengrab Looks like someone forgot to renew the site's SSL certificate – which …

COMMENTS

This topic is closed for new posts.
  1. Jeff 11

    To be fair the live.sagepay.com domain, which processs all payments, is under a different certificate, so this would have only affected their portal.

  2. Sam Liddicott

    someone outside the company

    outsourcing gives you someone to blame whose training you are not responsible for

  3. Anonymous Coward
    Anonymous Coward

    How can it possible have "no effect on our customers"? Are they suggesting that their customers should ignore failed certificate validation?

    1. P. Lee
      FAIL

      > Are they suggesting that their customers should ignore failed certificate validation?

      Yes!

      Please type in your password here: _

      Stupidity training at its best.

    2. Sir Cosmo Bonsor
      FAIL

      Read Jeff's comment.

  4. Anonymous Coward
    Anonymous Coward

    ah, load balancers

    Especially ones not managed by the same folks that manage the webservers themselves.

    This raises a question to which I'd appreciate frank, brutal or even silly answers: If you have load balancers and provide SSL connections, do you use the same CA-issued certificate on both your load balancers and your backend web servers? Or do you only install the CA-issued certificate on your load balancers and use internal-CA-signed certificates internally? The downside being having to manage additional certificates, and the upside being that your internal certificates can be issued for 10 years and as long as they don't all expire on the same day, while you may run degraded for 30 minutes if one of your servers is taken out of the pool, you won't go down hard.

    1. parama
      Linux

      Re: ah, load balancers

      Typically you'd just install the certificate on the reverse proxies (acting as both load balancers and failover) and then skip SSL encryption between the reverse proxies and application servers since you are already inside a closed network, usually just transfering TCP packages between the DMZ and application server network through the firewall. This saves the SSL encryption overhead and enables you to geek away with content caching options on the RP's as well.

  5. Silverburn
    Facepalm

    Ah, that ol' chestnut...the third party supplier was it? Yeeeeesssss, of course it was.

  6. TheWeddingPhotographer
    FAIL

    It is minor issue, which has no impact on our customers.

    WTF - not trading has a massive impact on their customers, perhaps they forget who their customers are and who makes them their money

  7. Johan Bastiaansen
    Devil

    What?

    What? Money comes from customers?

  8. Johan Bastiaansen
    Devil

    What?

    What? Money comes from customers?

    Surely money is generated through procedures!

  9. Duffaboy
    Joke

    Wait for it

    A wise Sage once said.....

  10. Bodestone

    They're not the only ones with certificate issues just now

    https://o2email.co.uk/html?brand=o2mailuk

  11. Anonymous Coward
    Anonymous Coward

    nagios check

    I run a nagios check which tells me how many days remain on my SSL certificate on any particular host.

  12. gollux
    FAIL

    Sweet Dreams

    Just what I want my customers receiving, the good old "Abandon All Hope Ye Who Enter" page.

  13. Anonymous Coward
    Anonymous Coward

    > We currently have a valid and in-date SSL certificate and are working with our hosting company to replace the expired certificate on our site.

    Valid Since: 26/04/2012 00:00:00 GMT

    Well, yeah, sure, you renewed the certificate in advance and just forgot to install it.

This topic is closed for new posts.

Other stories you might like