23 comments

[ 2.5 ms ] story [ 62.3 ms ] thread
[flagged]
(comment deleted)
Ah this would explain why I cant get on heathrow.com on wifi but can on mobile. Looks like some sort of distribution issue (dns still resolving fine).

It's been like it since around 11am (UK Time, its now 2:53pm)

My corporate SSO isn't working, so guess it's time to go sit in the sunshine.
The number of single points of failure businesses have astounds me.
Anybody seeing any issues? "Network infrastructure" sounds pretty serious but I'm not seeing any issues?
I'm unable to access portal.azure.com, so I guess that's part of it :)
We've been essentially fully down for approx. 2 hours - since about 12:50pm UK time.

We're a UK Government department, and have been unable to serve any of our pages covered by Azure Front Door since then.

This has probably caused quite a few on-the-ground struggles for our users and caseworkers.

Another CrowdStrike update Microsoft?
Our parent company are having issues in UKSouth but we're spread across UKSouth and UKWest and not seeing any issues. Apparently Functionapps also having issues, but we're seeing nothing at the moment.
Azure portal is intermittently available for me.

> The web page at https://portal.azure.com/ might be temporarily down or it may have moved permanently to a new web address.

Can finally go outside and enjoy the nice weather here in NL
(comment deleted)
Looks like it's only services which use Azure Front Door
Unlikely. Microsoft operates their own CAs. Although some of their CAs have been cross-signed by DigiCert, Microsoft is responsible for the domain validation.
I've always seen microsoft certificates signed by digicert, who knows.
You're probably seeing the root certificate, which is operated by DigiCert.

The intermediate CAs which issue the end-entity certificates are operated by Microsoft.

Figuring out who truly issued a certificate is tricky business: https://www.agwa.name/blog/post/the_certificate_issuer_field...

This is what i see for eg for outlook.com:

root issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

intermediate issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

server certificate issuer: CN = DigiCert SHA2 Secure Server CA O = DigiCert Inc C = US

Interesting, that truly is issued by DigiCert.

The end-entity certificates I see for microsoft.com, azure.microsoft.com, portal.azure.com are all issued by:

C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 0X [where X varies]

In any case, I just analyzed DigiCert's CRLs and it doesn't look like they've done many revocations yet. These are the only CT-logged certs revoked in the last 24 hours with reason code 4 (required when domain validation is done improperly):

https://gist.github.com/AGWA/2d22a1a94ef80ccdb38e3248323f434...

I don't see any Microsoft/Azure domains in that list.

Interestingly enough, accessing the Azure Portal from Firefox was OK, while Edge failed. I'm not sure what Edge's default DNS settings are, but after switching to 1.1.1.1 DoH, the portal also loaded.

That means the outage was either short-lived (doubtful, as it's not 9AM in Seattle yet, and Microsoft outages typically only start to get resolved around that time, weekdays only, mind you), or that... shockingly... it was DNS.

Another all-eggs-in-one-basket case, so soon after the last one.

Meanwhile my pi continues serving what it needs to do unabated.