PSA: LetsEncrypt ending expiration notification emails
-
bjoern_tantau@swg-empire.dereplied to Guest 26 days ago last edited by
You're not supposed to do it manually.
-
kokesh@lemmy.worldreplied to Guest 26 days ago last edited by
My server does it automatically, but I have few services I can't make to read the certs from server storage, so I have to manually copy cert content. Especially Adguard Home for some reason refuses to read my certs.
-
bjoern_tantau@swg-empire.dereplied to Guest 26 days ago last edited by
Have the same problem. But symlinks or copying them via cron solved it for me.
-
ramble81@lemm.eereplied to Guest 26 days ago last edited by
There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.
-
ramble81@lemm.eereplied to Guest 26 days ago last edited by
Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.
There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.
-
verstra@programming.devreplied to Guest 26 days ago last edited by
UptimeKuma looks nice. Simple, but it does what it is supposed to.
-
rmuk@feddit.ukreplied to Guest 26 days ago last edited by
Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.
-
ramble81@lemm.eereplied to Guest 26 days ago last edited by
That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
-
ohvenus_baby@lemmy.mlreplied to Guest 26 days ago last edited by
Fuck Apple and Microshit
-
tofuwabohu@slrpnk.netreplied to Guest 26 days ago last edited by
Have you tried to automate it?
-
cm0002@lemmy.worldreplied to Guest 26 days ago last edited by
still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.
-
tofuwabohu@slrpnk.netreplied to Guest 26 days ago last edited by
If you're using Prometheus, Blackbox exporter checks cert expiration as well
-
isokiero@sopuli.xyzreplied to Guest 26 days ago last edited by
Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
-
ramble81@lemm.eereplied to Guest 26 days ago last edited by
Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
-
mhzawadi@lemmy.horwood.cloudreplied to Guest 26 days ago last edited by
I have my home assistant check and also my nagios, better safe then sorry
-
bjoern_tantau@swg-empire.dereplied to Guest 26 days ago last edited by
Skill issue.
-
kokesh@lemmy.worldreplied to Guest 26 days ago last edited by
Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.
-
cm0002@lemmy.worldreplied to Guest 26 days ago last edited by
How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO
In any case, I was referring to the "my environment" part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don't mean to make decisions you don't have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes
-
kokesh@lemmy.worldreplied to Guest 26 days ago last edited by
Yes!
yes | cp -Lrf /etc/letsencrypt/live/..domain.../*.pem /var/snap/adguard-home/current -
argon@lemmy.todayreplied to Guest 26 days ago last edited by
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year
Not doubting them, but I don't understand how that's possible.
Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.
Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).
So where are the tens of thousands of yearly costs coming from?
18/56