The changing of the year can be a time of renewal and reinvigoration, but that renewal isn't always frictionless. The new year might mean wrestling with over-ambitious resolutions, the frustration of writing the previous year whenever you're dating a document, or—in the case of Riot Games—forgetting to renew the encryption certificate for your software and leaving your game unplayable for millions of players worldwide. We've all been there.
Late on Sunday, reports started emerging on Reddit and elsewhere that players were unable to login to League of Legends, with their attempts stalling out indefinitely at the game's initial loading screen. While Riot shortly said it was "looking into the issue," players quickly narrowed in on the root of the problem after checking the client's error logs: Windows was rejecting its connection attempts because of an expired SSL certificate.
SSL—short for "Secure Sockets Layer"—is a security protocol for establishing encrypted connections between a server and client. To form an SSL connection, the client and server verify each other's SSL certificates, which are issued by trusted third-party certificate authorities and must be regularly renewed. If you're reading this article, you're using SSL right now (or technically the more recent TSL, but we're working in broad strokes): Your web browser and our website have formed a secure HTTPS connection after checking each other's credentials, verifying that the data is going to the right place and helping to avoid domain spoofing and other hazards.
The League client is essentially both a web browser and web server: It uses your PC to host web elements that it then requests for display in the client. But bafflingly, as players have deduced, it attempts to form a secure HTTPS connection for that traffic even though it's all happening on one machine. While it's an odd choice, it functioned without issue thanks to the application's hard-coded SSL certificate—until yesterday.
While traditionally issued SSL certificates are often renewed automatically by the issuing authority, the League client's hard-coded certificate meant someone at Riot would've needed to remember it required updating before its expiration date. While Riot hasn't confirmed that the neglected certificate renewal was the culprit, the signs seem pretty clear—particularly because players could solve their login issues if they set their system clock back to before the certificate's expiration.
What's delightful about this whole mishap is that Riot had the same problem 10 years ago: When players started receiving SSL certificate expiration popups on New Year's Day in 2016, Riot confirmed on Reddit that its "cert expired for the new year when it should have auto-renewed." If anyone set a reminder to stay on top of the cert renewal the next time around, those proverbial post-it notes were probably lost in the shuffle during a client update later that year.
Riot has since issued a client update to address the login difficulties, which evidently entailed setting the SSL certificate's expiration date to 2125. If we run into the same problem then, I'll do my best to report back.
