AddTrust External CA Root Expiration
Incident Report for LogDNA Status Page
Resolved
This incident has been resolved.
Posted Jun 02, 2020 - 23:34 UTC
Update
We are continuing to monitor the implemented fix for any further issues.
Posted Jun 02, 2020 - 11:03 UTC
Update
We are still continuing to monitor for any further issues.
Posted Jun 02, 2020 - 02:24 UTC
Update
Syslog Users:
Our Syslog system was affected. We have updated the root cert file on our CDN, and as noted below, customers can now find the updated cert in our CDN.

Syslog Instructions:
This works now for customers on a recent version of Syslog. Customers with a recent ld-root-ca.crt (downloaded from https://assets.logdna.com/rootca/ld-root-ca.crt) will resume automatically. Customers who have an older version of that root CA file will need to follow instructions on our syslog page from http://app.logdna.com/pages/add-source to update their ld-root-ca.crt and restart rsyslog (or whatever Syslog client they’re using).
Posted Jun 01, 2020 - 23:01 UTC
Monitoring
The certificate chain for our systems relied on the AddTrust External CA Root. That root certificate expired on May 30, 2020, which caused a certificate expiry error that broke the TLS handshake between customers and our systems. This is a wide-ranging incident that has affected multiple companies. We have implemented a fix and we are currently monitoring the fix at this time.
Posted Jun 01, 2020 - 21:38 UTC
Update
We are continuing to work on a fix for this issue. The underlying problem is from https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020. One root CA of our certificate for app.logdna.com where the ingestion of logs takes place has expired. Once the ca-certificates system package is updated to the latest version a valid root CA should be available that covers our certificate.
Posted Jun 01, 2020 - 15:44 UTC
Update
The underlying problem is from https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020. One root CA of our certificate for app.logdna.com where the ingestion of logs takes place has expired. Once the ca-certificates system package is updated to the latest version a valid root CA should be available that covers our certificate.
Posted May 30, 2020 - 19:15 UTC
Identified
We have rolled out a new agent 1.6.3 release build with the new CA certs: https://github.com/logdna/logdna-agent/releases/tag/1.6.3

Customers running Debian & Ubuntu 16.04+ can use this version to fix the connection issue. This Debian package is a hotfix to release a new version of the docker image to enable ingestion for all our Kubernetes users. Other fixes will follow for Ubuntu 14.04 and the rest of the native clients.

For customers running Ubuntu 16.04 API, please run the following:
rm /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
update-ca-certificates

If your Kubernetes ingestion on logdna/logdna-agent:latest (our v1 ingestion client) is having this connection issue, please delete all the pods and things should start working again. We have pushed a new version of this docker image to docker hub.
Posted May 30, 2020 - 19:13 UTC
Investigating
We are currently investigating an issue caused by the Expired AddTrust External CA Root. This potentially affects ingestion from certain users using Linux agent (v1), Mac agent, and Syslog TCP+TLS with outdated Roots.
Posted May 30, 2020 - 13:30 UTC
This incident affected: Log Ingestion (Agent/REST API/Code Libraries), Log Ingestion (Heroku), and Log Ingestion (Syslog).