I remember running into this at a past employer where TLS certs were core to the business. It happened on a New Year’s Day, and I spent a lot of that holiday trying to fix it.
The core problem is people mostly only think about roots and leaves; it’s not until you get bit by this that it starts to become institutional memory.
The problem is intermediates are often signed for ~3 years - just long enough for a lot of the engineers who set them up to have left or to be mostly forgotten because they just work. Three years comes faster than you think...
Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.
Stay safe. Please abide by our code of conduct.