PSA: LetsEncrypt ending expiration notification emails
-
You're not supposed to do it manually.
-
My server does it automatically, but I have few services I can't make to read the certs from server storage, so I have to manually copy cert content. Especially Adguard Home for some reason refuses to read my certs.
-
Have the same problem. But symlinks or copying them via cron solved it for me.
-
There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.
-
Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.
There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.
-
UptimeKuma looks nice. Simple, but it does what it is supposed to.
-
Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.
-
That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
-
Fuck Apple and Microshit
-
Have you tried to automate it?
-
still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.
-
If you're using Prometheus, Blackbox exporter checks cert expiration as well
-
Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
-
Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
-
I have my home assistant check and also my nagios, better safe then sorry
-
Skill issue.
-
Fullchain.pem works. Privkey doesn't. I've tried chmod 777 (yes, I know, just testing) and still can't access the file.
-
How well does it go over if you try to say “well acktuslly…” when it comes to password changes.
Well, it went over easy, but I also gained the authority to implement or toss such policies when I took my job LMAO
In any case, I was referring to the "my environment" part since it implied you had such authority and were just choosing to emulate policies of others, ofc I don't mean to make decisions you don't have the authority to. Hard evidence is hard evidence though, it does give you a leg to stand on should you propose such changes
-
Yes!
yes | cp -Lrf /etc/letsencrypt/live/..domain.../*.pem /var/snap/adguard-home/current -
Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year
Not doubting them, but I don't understand how that's possible.
Storing the email addresses and expiration dates takes an irrelevant amount of storage space, even if they had billions of cutomers.
Sending the emails should also not cost thousands, even if a significant amount of customers regularly let their certificates expire (which hopefull isn't the case).
So where are the tens of thousands of yearly costs coming from?
