PSA: LetsEncrypt ending expiration notification emails
-
I think it's a good idea, everyone should be automating this anyway.
-
S [email protected] shared this topic
-
[email protected]replied to [email protected] last edited by
I did setup UptimeKuma for notifications on this. let's see if it works out when the expiry arrives in a month
-
[email protected]replied to [email protected] last edited by
I just wish I wouldn't have to renew certs so often.
-
[email protected]replied to [email protected] last edited by
I think it's a good idea, everyone should be automating this anyway.
This is still not possible in all scenarios. For example, wildcard certificates for DNS providers with no API support.
-
[email protected]replied to [email protected] last edited by
Then swap you nameservers to a DNS provider that allows that?
-
[email protected]replied to [email protected] last edited by
Mine just auto renews anyway
-
[email protected]replied to [email protected] last edited by
I think I'll need to add notifications for my uptime kuma as well now. So far I've used it mostly for historical data but without the mails, I would like to get a notice
-
[email protected]replied to [email protected] last edited by
If Apple gets their way, you'll be renewing every month:
-
[email protected]replied to [email protected] last edited by
You're not supposed to do it manually.
-
[email protected]replied to [email protected] last edited by
My server does it automatically, but I have few services I can't make to read the certs from server storage, so I have to manually copy cert content. Especially Adguard Home for some reason refuses to read my certs.
-
[email protected]replied to [email protected] last edited by
Have the same problem. But symlinks or copying them via cron solved it for me.
-
[email protected]replied to [email protected] last edited by
There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.
-
[email protected]replied to [email protected] last edited by
Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.
There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.
-
[email protected]replied to [email protected] last edited by
UptimeKuma looks nice. Simple, but it does what it is supposed to.
-
[email protected]replied to [email protected] last edited by
Honestly in rare situations that a device like that needs to be accessible from the wild Internet I think it'd be mad to expose it directly, especially if it's not manageable as you suggest. At the very least, I'd be leaning on a reverse proxy.
-
[email protected]replied to [email protected] last edited by
That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
-
[email protected]replied to [email protected] last edited by
Fuck Apple and Microshit
-
[email protected]replied to [email protected] last edited by
Have you tried to automate it?
-
[email protected]replied to [email protected] last edited by
still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Is there a hard source with evidence that this is at all needed? Because there are a lot of things that "security departments" do that amount to security theater. Like forcing arbitrary password changes org wide.
-
[email protected]replied to [email protected] last edited by
If you're using Prometheus, Blackbox exporter checks cert expiration as well
