PSA: LetsEncrypt ending expiration notification emails

bjoern_tantau@swg-empire.de

Have the same problem. But symlinks or copying them via cron solved it for me.

ramble81@lemm.ee

There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.

ramble81@lemm.ee

Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.

There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.

verstra@programming.dev

UptimeKuma looks nice. Simple, but it does what it is supposed to.

rmuk@feddit.uk

Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.

ramble81@lemm.ee

That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

ohvenus_baby@lemmy.ml

Fuck Apple and Microshit

tofuwabohu@slrpnk.net

Have you tried to automate it?

cm0002@lemmy.world

still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.

Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.

tofuwabohu@slrpnk.net

If you're using Prometheus, Blackbox exporter checks cert expiration as well

isokiero@sopuli.xyz

Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.

ramble81@lemm.ee

Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

mhzawadi@lemmy.horwood.cloud

I have my home assistant check and also my nagios, better safe then sorry

bjoern_tantau@swg-empire.de

Skill issue.

kokesh@lemmy.world

Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.

cm0002@lemmy.world

How well does it go over if you try to say “well acktuslly…” when it comes to password changes.

Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO

In any case, I was referring to the "my environment" part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don't mean to make decisions you don't have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes

kokesh@lemmy.world

Yes!
yes | cp -Lrf /etc/letsencrypt/live/..domain.../*.pem /var/snap/adguard-home/current

argon@lemmy.today

Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year

Not doubting them, but I don't understand how that's possible.

Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.

Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).

So where are the tens of thousands of yearly costs coming from?

byteonbikes@slrpnk.net

I just realized I have no idea who pays for Let's Encrypt. I just run the server commands, automate it, and move on.

luci@lemmy.ca

Transactional email services are about $15 per 10,000 emails. I'll round down to $10 to consider b2b deals and let's just say it's $10,000 per year. That would be like idk 84k emails a month.

Keep in mind this doesn't consider the DB hosting and the processing of expiring emails and salaries, so yeah, I could see it.