SSL Calendar Logo SSLCalendar
Blog About
Expired SSL Certificate Took Down Google Bazel for 13 Hours

Expired SSL Certificate Took Down Google Bazel for 13 Hours

An expired SSL certificate caused a 13-hour Google Bazel outage in December 2025. With 200-day certs starting March 15, 2026, here's why this matters to you.

On December 26, 2025, thousands of developers worldwide woke up to broken builds. Google’s Bazel build system — one of the most widely used build tools in software engineering — had gone dark. The culprit? An SSL certificate that had quietly expired at 07:35 UTC, taking down critical infrastructure for over 13 hours on one of the worst possible days: the middle of the holiday season.

The timing could hardly be more instructive. In just a few days — on March 15, 2026 — the entire industry shifts to a new maximum certificate lifetime of 200 days, cutting the current limit of 398 days nearly in half. With renewals becoming twice as frequent, the odds of a Bazel-style incident go up for everyone who isn’t paying attention.

What Happened to Bazel

The outage hit three critical *.bazel.build domains simultaneously: the releases subdomain, the Bazel Central Registry, and the source mirrors. Together, these serve almost every Bazel build in existence. When they went down, the majority of CI/CD pipelines that didn’t have locally cached binaries simply stopped working.

The post-mortem published by the Bazel team in January 2026 tells a familiar story. Around November 26, the automatic renewal process had started failing — but no alerts fired. The reason? A staging DNS record had been removed a month earlier, and that silent infrastructure change caused the renewal process to fail repeatedly without notifying anyone. By December 26, the certificate expired on schedule, with no one aware it was about to.

The outage lasted until 20:31 UTC — roughly 13 hours — because key team members were on holiday leave, and even once the investigation started, GCP’s certificate provisioning process can take up to 45 minutes with confusing intermediate states that make it hard to know if things are progressing.

A Systemic Problem, Not a Fluke

It would be easy to dismiss this as a one-off Google mistake, but the Bazel incident is representative of how most certificate outages unfold:

  • Auto-renewal breaks silently: Automation is great until it isn’t. A single environmental change — a DNS record removal, a firewall rule, a lapsed API credential — can cause renewal to fail without any notification.
  • No monitoring on the monitoring: Teams set up automated renewal and assume it’s handled, but rarely monitor whether the renewal process itself is healthy.
  • Bad timing compounds the damage: Outages that happen during nights, weekends, or holidays take far longer to resolve. The Bazel team would have had the fix deployed in an hour on a Tuesday afternoon.
  • Dependencies are invisible: Bazel users had no idea their builds depended on a specific SSL certificate’s validity. When it expired, they had no fallback.

Previous high-profile victims of the same failure mode include Microsoft Teams (three-hour outage in February 2020), Starlink (multi-hour downtime), and a Spotify/Windows 11 integration breakage. The pattern is always the same: someone assumed the certificate was handled, and it wasn’t.

Why the 200-Day Deadline Makes This Urgent

Starting March 15, 2026, the CA/Browser Forum’s Ballot SC-081v3 takes effect. New certificates can be issued for a maximum of 200 days — down from 398. That means:

  • Annual renewals become semi-annual at best. If you used to renew once a year, you now renew twice. If you had a comfortable buffer of weeks, that buffer shrinks.
  • More frequent renewals means more opportunities for things to go wrong. Every renewal is a chance for the automation to fail, for a DNS change to break the validation, for someone to miss a notification.
  • And this is just the first step. The timeline continues: 100-day certificates arrive on March 15, 2027, and by March 15, 2029, the maximum is 47 days. At that point, organizations without robust automation will be renewing certificates roughly every month and a half.

What the Bazel Team Changed — And What You Should Too

The Bazel postmortem is worth reading in full, but the core fixes apply to any organization managing certificates:

  • Monitor the renewal process, not just the certificate. They added a GitHub Actions workflow that checks certificate expiry and files issues proactively. You need visibility into whether renewal is succeeding, not just whether the certificate is still valid.
  • Set up alerts with meaningful lead time. Knowing a certificate expires tomorrow is not enough. You want to know 30, 60, and 90 days out — especially as lifetimes shrink.
  • Document your certificate infrastructure. The Bazel team discovered that critical knowledge about their setup existed only in the heads of a few engineers. When those engineers were on holiday, the team had to reconstruct the picture under pressure.
  • Test your fallback paths. Bazel users could have mitigated the outage by pre-populating local download caches. Most didn’t, because they didn’t know they needed to.

Staying Ahead of the Curve

The Bazel outage is a preview of what many organizations will experience as certificate lifetimes shrink. The good news is that the solution is straightforward: visibility and automation.

For teams that want to stop relying on memory and manual processes to track when certificates expire, SSLcalendar.com provides calendar-based expiration reminders that integrate directly into your existing workflow. Add your certificates once, and you’ll receive timely alerts before renewals become emergencies — the kind of early warning system the Bazel team didn’t have on December 26.

For organizations that need deeper insight — scanning for misconfigurations, checking certificate chains, or auditing TLS health across dozens of domains — SSLboard.com provides comprehensive certificate surveying and vulnerability detection.

The 200-day era starts in three days. The Bazel incident is a useful reminder that certificate management is infrastructure, and infrastructure deserves the same monitoring discipline as everything else.

Sources: Bazel SSL Certificate Expiry Postmortem, Google Bazel Outage coverage via WebProNews, SSL.com — The 200-Day Certificate Deadline, CA/Browser Forum Ballot SC-081v3.

Photo by Laura Ockel on Unsplash

← Back to Blog