Will cache expired SSL certificates and break your site with HSTS

  • wordcrunch

    (@wordcrunch)


    1 year, 7 months ago

    1. Cache duration (default) is longer than certificate length for Let’s Encrypt certificates
    2. Plugin caches content and this somehow includes the SSL certificate
    3. Plugin does not check if the certificate is expired or automatically rebuild the cache when a new certificate is generated
    4. Plugin adjusts server settings to force https using HSTS
    5. Certificate expires
    6. No way to get in to WordPress or view the website at all

    This is a catastrophic failure that is 100% avoidable and 100% unacceptable, one day of my life has been lost to troubleshooting this incredibly annoying bug.

    Do not recommend.
    0/10.

    • This topic was modified 1 year, 7 months ago by wordcrunch.
Viewing 1 replies (of 1 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    1 year, 7 months ago

    Hello @wordcrunch

    Thank you for your review.
    I took some time to try and replicate this, however, I was not able to experience the problem.
    To answer your points:
    1. W3 Total Cache cache duration is not relevant to the Let’s Encrypt certificate duration
    2. W3 Total Cache does not Cache the SSL Certificate, it does not have the ability to do this
    3. See #2
    4. W3 Total Cache does not force anything. There is a Security Headers section in Performance>Browser Cache>Security heders, in which you can enable HTTP Strict Transport Security policy and set the Directive. This is NOT enabled by default and you can disable it at any time if you have enabled it previously.
    5 and 6. As per the FAQ page of Let’s Encrypt, once the cert is renewed, the resulting authorization is cached for your account to use again later. Cached authorizations last for 30 days from the time of validation. If the certificate you requested has all of the necessary authorizations cached then validation will not happen again until the relevant cached authorizations expire.

    Thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘Will cache expired SSL certificates and break your site with HSTS’ is closed to new replies.