PSA: LetsEncrypt ending expiration notification emails
-
[email protected]replied to [email protected] last edited by
still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.
-
[email protected]replied to [email protected] last edited by
If you're using Prometheus, Blackbox exporter checks cert expiration as well
-
[email protected]replied to [email protected] last edited by
Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
-
[email protected]replied to [email protected] last edited by
Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
-
[email protected]replied to [email protected] last edited by
I have my home assistant check and also my nagios, better safe then sorry
-
[email protected]replied to [email protected] last edited by
Skill issue.
-
[email protected]replied to [email protected] last edited by
Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.
-
[email protected]replied to [email protected] last edited by
How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO
In any case, I was referring to the "my environment" part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don't mean to make decisions you don't have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes
-
[email protected]replied to [email protected] last edited by
Yes!
yes | cp -Lrf /etc/letsencrypt/live/..domain.../*.pem /var/snap/adguard-home/current -
[email protected]replied to [email protected] last edited by
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year
Not doubting them, but I don't understand how that's possible.
Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.
Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).
So where are the tens of thousands of yearly costs coming from?
-
[email protected]replied to [email protected] last edited by
I just realized I have no idea who pays for Let's Encrypt. I just run the server commands, automate it, and move on.
-
[email protected]replied to [email protected] last edited by
Transactional email services are about $15 per 10,000 emails. I'll round down to $10 to consider b2b deals and let's just say it's $10,000 per year. That would be like idk 84k emails a month.
Keep in mind this doesn't consider the DB hosting and the processing of expiring emails and salaries, so yeah, I could see it.
-
[email protected]replied to [email protected] last edited by
If they send 2 emails per subdomain per year, that could easily be 10s of millions which would make the cost per email measured in thousandths of a cent. And I could see the number of subdomains being larger by a factor of 10, maybe more.
Another angle: someone with IT experience needs to manage the system that seems emails, and other engineers need to integrate other systems with the email reminder system. The time spent on engineering could easily add up to thousands per year, if not tens of thousands.
I'm guessing their figure is based on both running costs and engineering costs.
-
[email protected]replied to [email protected] last edited by
As with all things email, they probably really wanted to make sure that the mails were delivered and thus were using a commercial MTA to ensure that.
I'd wager, even at 20 or 30 or 40k a year, that's way less than it'd cost to host infra and have at least two if not three engineers available 24/7 to maintain critical infra.
Looking at my mail, over the years I've gotten a couple hundred email from them around certificates and expirations (and other things), and if you assume there's a couple million sites using these certs, I could easily see how you'd end up in a situation where this could scale in cost very very slowly, until it's suddenly a major drain.
-
[email protected]replied to [email protected] last edited by
I'm with you, but that's why I'm automating certificate expiry checking somewhere else (in my home assistant install to be exact).
-
[email protected]replied to [email protected] last edited by
But then you have to distribute CAs to all the devices that will reach this service, and not all devices allow that.
-
[email protected]replied to [email protected] last edited by
According to (their stats page)[https://letsencrypt.org/stats/], Let's Encrypt's certificates are used by around 500M domains.
-
[email protected]replied to [email protected] last edited by
Let's Encrypt is run by a non-profit (Internet Security Research Group), they list their major sponsors and funders on their website.
-
[email protected]replied to [email protected] last edited by
Notable mention of Mozilla being a Platinum sponsor.
-
[email protected]replied to [email protected] last edited by
Just needs an API and an export/import feature.
