Code Room
On-callHardoc-g485
Subject Cert expiryLevel Senior–Staff~35 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

At 02:00 UTC a growing fraction of clients start failing TLS to your public API with 'unable to get local issuer certificate' / 'certificate verify failed', yet your leaf certificate was renewed last month and openssl shows it valid for 300+ days. Curl from your bastion (which has the full chain in its trust store) succeeds, but mobile clients and some partners' strict validators fail. Dashboards: handshake-failure rate climbing from 0% to ~35% over an hour, correlated with no deploy. `openssl s_client -showcerts` from an outside host shows the server returns leaf + one intermediate; the intermediate's notAfter is *yesterday*. How do you triage and mitigate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.