I understand a Certificate Authority issues a certificate saying "hey, this public key is the Real Deal." but that certificate expires, because it could be Dangerous if it didn't expire. So you gotta renew them peridoically!
That is the extents of my knowledge. The person at my work who is supposed to renew certs is on vacation and none of us know how to fix it. Oh no! This is just like what happened to Raddle.
So, I Googled a Solution to the Problem and am waiting for someone with permissions to come fix it. But, while waiting, I wonder... Why is this not automated? Turns out Big Sites have this issue too.
I don't mean this question critically, I mean it because I know jack sqack about certs. Is there a reason not to automatically renew them? Is there great difficulty there?
emma wrote (edited )
Up until 2015 or so, you had to buy certificates from companies who made the process of renewing a cert miserable. When Let's Encrypt opened to the public, you'd typically install an ACME client on your server to handle the renewal automatically.
But as it turns out, sometimes your cron jobs break, and the sysadmin is too busy making jokes about poop to care about the expiry warning emails. This is what happened in the case of Raddle.
Also automatic cert issuing needs to verify site ownership, and this can break too (e.g. if a cert covers many (sub)domains, and one of these domains is removed).