PSA: LetsEncrypt ending expiration notification emails

maggiwuerze@feddit.org

I think I'll need to add notifications for my uptime kuma as well now. So far I've used it mostly for historical data but without the mails, I would like to get a notice

doughless@lemmy.world

If Apple gets their way, you'll be renewing every month:

https://certera.com/blog/apples-proposal-to-shorten-ssl-tls-certificate-lifespans-to-45-days-by-2027/

bjoern_tantau@swg-empire.de

You're not supposed to do it manually.

kokesh@lemmy.world

My server does it automatically, but I have few services I can't make to read the certs from server storage, so I have to manually copy cert content. Especially Adguard Home for some reason refuses to read my certs.

bjoern_tantau@swg-empire.de

Have the same problem. But symlinks or copying them via cron solved it for me.

ramble81@lemm.ee

There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.

ramble81@lemm.ee

Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.

There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.

verstra@programming.dev

UptimeKuma looks nice. Simple, but it does what it is supposed to.

rmuk@feddit.uk

Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.

ramble81@lemm.ee

That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

ohvenus_baby@lemmy.ml

Fuck Apple and Microshit

tofuwabohu@slrpnk.net

Have you tried to automate it?

cm0002@lemmy.world

still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.

tofuwabohu@slrpnk.net

If you're using Prometheus, Blackbox exporter checks cert expiration as well

isokiero@sopuli.xyz

Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.

ramble81@lemm.ee

Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

mhzawadi@lemmy.horwood.cloud

I have my home assistant check and also my nagios, better safe then sorry

bjoern_tantau@swg-empire.de

Skill issue.

kokesh@lemmy.world

Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.

cm0002@lemmy.world

How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO

In any case, I was referring to the "my environment" part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don't mean to make decisions you don't have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes