this post was submitted on 05 Jan 2026
330 points (99.4% liked)

PC Gaming

13120 readers
694 users here now

For PC gaming news and discussion. PCGamingWiki

Rules:

  1. Be Respectful.
  2. No Spam or Porn.
  3. No Advertising.
  4. No Memes.
  5. No Tech Support.
  6. No questions about buying/building computers.
  7. No game suggestions, friend requests, surveys, or begging.
  8. No Let's Plays, streams, highlight reels/montages, random videos or shorts.
  9. No off-topic posts/comments, within reason.
  10. Use the original source, no clickbait titles, no duplicates. (Submissions should be from the original source if possible, unless from paywalled or non-english sources. If the title is clickbait or lacks context you may lightly edit the title.)

founded 2 years ago
MODERATORS
EXiLExJD@lemmy.ca
UncleBadTouch@lemmy.ca
KairuByte@lemmy.dbzer0.com
330
League of Legends players worldwide couldn't login for hours because Riot forgot to renew the client's SSL certificate—just like it did 10 years ago (www.pcgamer.com)
submitted 3 days ago by alessandro@lemmy.ca to c/pcgaming@lemmy.ca
41 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] dgdft@lemmy.world 5 points 3 days ago* (last edited 3 days ago) (2 children)

Have you had Certbot or LE fail on prod for you before?

I’m sure stuff happens, but I usually view them as one of the most robust moving parts on a server.

E: I don’t mean to express disbelief at all; just curious to learn about possible footguns.

[–] four@lemmy.zip 14 points 3 days ago (2 children)

Certbot / LE has to be running on some machine and that machine can be accidentally turned off, payments not fulfilled, was supposed to be moved but the new instance doesn't work, gateway configuration changed, etc.

Automation requires maintenance and that introduces human error

[–] AmbiguousProps@lemmy.today 5 points 3 days ago* (last edited 3 days ago)

Like dgdft said, if you're using certbot, it should typically be running on the machine that your endpoints are hosted on. Enterprise solutions don't require this, but they have other means of deploying certificates automatically and alarming if they are unable to, before they expire. My organization has dashboards showing which certs expire and when, and it triggers alarms at least a month before anything goes wrong.

High stakes automation should always have alarms on error, and since certs have set expiration dates baked into them, you can alarm far before anything goes wrong. Apparently, Riot didn't have that.

Also, more frequent renewals make it so that people are less likely to forget it exists. Because of that, along with the possible security ramifications, 2 to 10 year certs should never be used, in my opinion. A 10 year cert will always get kicked on to the next team and it's very possible for things to fall through the cracks.

[–] dgdft@lemmy.world 4 points 3 days ago

Certbot/LE should typically be running on the box that's terminating TLS for you, right? If the box handling your traffic is down, shouldn't that be a self-evident problem?

I've been running Caddy and certbot for nearly a decade and never found a way for them to break without it being 100% my fault. They're more or less self-healing too. I'm with AmbiguousProps; cert renewals have been pretty damn reliable to automate compared to any other piece of tech, IME.

[–] phx@lemmy.world 2 points 2 days ago

Yeah I've had certbot mess up a few times, though more often it was the scripts that actually shuttle the updated certs to their proper locations and restart services after updating