那份旧证书过期了,开始停电了。这就是接下来发生的事情
In distributed systems, there’s plenty of occasions for things to go wrong. This is why resiliency and redundancy are important. But no matter the systems you put in place, no matter whether you did or didn’t touch your deployments, issues might arise. It makes it critical to acknowledge the near misses: the situations where something could have gone wrong and the situations where something did, but it could have been worse. When was the last time it happened to you? For us, at Shopify, it was on September 30th, 2021, when the expiration of Let’s Encrypt’s (old) root certificate almost led to a global outage of our platform.
在分布式系统中,有很多出错的场合。 这就是为什么弹性和冗余很重要。但是,无论你建立什么系统,无论你是否接触过你的部署,都可能出现问题。这使得承认差点出错的情况变得至关重要:可能出错的情况和已经出错的情况,但情况可能更糟。上一次发生在你身上的情况是什么时候?对我们Shopify来说,那是在2021年9月30日,Let's Encrypt(旧)根证书的到期几乎导致了我们平台的全球停运。
In April 2021, Let’s Encrypt announced that the former root certificate was expiring. As we use Let’s Encrypt as our public certificate provider since we became a sponsor in 2016, we made sure that Shopify’s edge infrastructure was up to date with the different requirements, so we wouldn’t stop serving traffic to all of (y)our beloved shops. As always, Let’s Encrypt did their due diligence with communications and by providing a cross-signing of their new root certificate by the old one. What this means is that while clients didn’t trust the new root certificate yet, because that new root certificate was signed by the old one, they trusted the old one and would transfer their trust to the new one. Also, the period of time between the announcement and the expiration was sufficient for any Let’s Encrypt-emitted certificates, which expire after three months, to be signed by the new cross-signed root certificate and considered valid using any of the old or new root certificates. We didn’t expect anything bad to happen on September 30th, 2021, when the root certificate was set to expire at 10:00 a.m. Eastern Standard Time.
2021年4月,Let's Encrypt宣布以前的根证书即将过期。由于我们在2016年成为赞助商后使用Let's Encrypt作为我们的公共证书供应商,我们确保Sh...