this post was submitted on 16 Oct 2024
116 points (93.3% liked)

Technology

58702 readers
4099 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
116
Sysadmins slam Apple’s SSL/TLS cert lifespan cuts (www.theregister.com)
submitted 16 hours ago by [email protected] to c/[email protected]
44 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 53 points 16 hours ago (2 children)

I'm sorry, but has no-one heard of https://letsencrypt.org that issues certificates via API for free?

I would not be surprised if certificates at some point will be issued for each session.

[–] [email protected] 6 points 5 hours ago (1 children)

It's not the issuance that's the headache, it's the installation. There are more things that need valid certs than just webservers

[–] [email protected] 1 points 5 hours ago (1 children)

Certbot is basically automatic, think mines on a cronjob now.

Who actually does this shit manually?

[–] [email protected] 9 points 4 hours ago

Any number of numerous appliances and hideously malformed business systems that don't have ways to automate cert changes.

Not everyone gets to work in their simple little world of standards-following lab servers.

[–] [email protected] 59 points 15 hours ago (2 children)

I'm sorry, but have you ever needed to manage some certificates for a legacy system or something that isn't just a simple public facing webserver?

Automation becomes complicated very quickly. And you don't want to give DNS mutation access to all those systems to renew with DNS-01.

[–] [email protected] 35 points 12 hours ago (1 children)

Ahh yes the: we can't have self signed certificates for security reasons but also can't open up the environment to the web, and we dont have our own CA server, trifecta.

Solution: awkward, manual, certificate import process from a 3rd party vendor.

[–] [email protected] 15 points 12 hours ago (1 children)

Even if you have an internal CA, few appliances support this kind of automation. At best, they have an API, and you get to write that automation yourself for each appliance.

[–] [email protected] 6 points 9 hours ago

Knew a place where, for some devices, it was only available via a web interface. It was automated via WebDriver by a sysadmin that was losing his mind.

[–] [email protected] 15 points 14 hours ago (1 children)

You can delegate to isolated nameservers with DNS-01, there's no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

[–] [email protected] 14 points 14 hours ago (1 children)

Yes, and that is where we enter the complicated territories..

[–] [email protected] -1 points 12 hours ago (1 children)

How complicated is it to have a CNAME? /s

[–] [email protected] 6 points 4 hours ago

If you think it's just too easy but people are still discussing it, please entertain the notion that you may have oversimplified the situation in your assessment and that as assumptions become clarified you may yet soon understand a horror that apple can't quite grok.