League of Legends players worldwide couldn't login for hours because Riot forgot to renew the client's SSL certificate—just like it did 10 years ago

The changing of the year can be a time of renewal and reinvigoration, but that renewal isn't always frictionless. The new year might mean wrestling with over-ambitious resolutions, the frustration of writing the previous year whenever you're dating a document, or—in the case of Riot Games—forgetting to renew the encryption certificate for your software and leaving your game unplayable for millions of players worldwide. We've all been there.

Late on Sunday, reports started emerging on Reddit and elsewhere that players were unable to login to League of Legends, with their attempts stalling out indefinitely at the game's initial loading screen. While Riot shortly said it was "looking into the issue," players quickly narrowed in on the root of the problem after checking the client's error logs: Windows was rejecting its connection attempts because of an expired SSL certificate.

SSL—short for "Secure Sockets Layer"—is a security protocol for establishing encrypted connections between a server and client. To form an SSL connection, the client and server verify each other's SSL certificates, which are issued by trusted third-party certificate authorities and must be regularly renewed. If you're reading this article, you're using SSL right now (or technically the more recent TSL, but we're working in broad strokes): Your web browser and our website have formed a secure HTTPS connection after checking each other's credentials, verifying that the data is going to the right place and helping to avoid domain spoofing and other hazards.

The League client is essentially both a web browser and web server: It uses your PC to host web elements that it then requests for display in the client. But bafflingly, as players have deduced, it attempts to form a secure HTTPS connection for that traffic even though it's all happening on one machine. While it's an odd choice, it functioned without issue thanks to the application's hard-coded SSL certificate—until yesterday.

While traditionally issued SSL certificates are often renewed automatically by the issuing authority, the League client's hard-coded certificate meant someone at Riot would've needed to remember it required updating before its expiration date. While Riot hasn't confirmed that the neglected certificate renewal was the culprit, the signs seem pretty clear—particularly because players could solve their login issues if they set their system clock back to before the certificate's expiration.

What's delightful about this whole mishap is that Riot had the same problem 10 years ago: When players started receiving SSL certificate expiration popups on New Year's Day in 2016, Riot confirmed on Reddit that its "cert expired for the new year when it should have auto-renewed." If anyone set a reminder to stay on top of the cert renewal the next time around, those proverbial post-it notes were probably lost in the shuffle during a client update later that year.

TOPICS

Lincoln has been writing about games for 11 years—unless you include the essays about procedural storytelling in Dwarf Fortress he convinced his college professors to accept. Leveraging the brainworms from a youth spent in World of Warcraft to write for sites like Waypoint, Polygon, and Fanbyte, Lincoln spent three years freelancing for PC Gamer before joining on as a full-time News Writer in 2024, bringing an expertise in Caves of Qud bird diplomacy, getting sons killed in Crusader Kings, and hitting dinosaurs with hammers in Monster Hunter.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.