The Dangers of SSL Certificates

Boxing Day turned into a certpocalypse for Google’s Bazel: SSL certificates on bcr.bazel.build and releases.bazel.build expired, and builds across the world faceplanted. On GitHub, Xùdōng Yáng said auto‑renew was “bricked” by new subdomains and the alerts didn’t fire—so holiday on‑call engineers scrambled through docs to fix it. The community came in hot. One camp rolled its eyes at the “SSL is uniquely dangerous” angle, arguing this was just bad monitoring and a single broken alert chain. Another camp shouted that certificates are a single point of failure and pitched overlapping “backup certs” so one expiring doesn’t nuke everything at once. Then a spicy third camp said the quiet part loud: bring back plain old HTTP as a safety net, because “HTTPS‑only does more harm than good” when the lock icon turns on you. War stories poured in—on‑call nightmares, subdomain snafus, and “set‑it‑and‑forget‑it” turning into set‑it‑and‑regret‑it. Someone even warned lifetimes could shrink to 47 days by 2029, cue the collective groan. Meme energy: “Boxing Day KO,” “the Grinch stole their certs,” and “cron job ate my holiday.” The vibe? Fix your alerts, plan for failure, and maybe stop trusting magic renewals