this post was submitted on 17 Apr 2025
200 points (98.1% liked)
Technology
69110 readers
2471 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If you're truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Archaic attitudes like yours are precisely why these restrictions are necessary.
Exactly. Setting up Let's Encrypt is really easy, and once it's set up, you don't have to think about it.
I did it for self-hosted stuff, and it's trivial. You can even do DNS challenge auth instead of HTTP and you don't need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it's your first time, and after that, it's maybe 5 min per site.
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
I have mine check daily, which is the default and is recommended. It only actually updates when it's close to renewal, so I never need to care how short the renewal period is.
Not all DNS hosts support that. Webnames.ca, looking at you...
Also my workplace hosts their own dns and I think it will be a cold day in hell before they let me do automated updates.
Any DNS host that doesn't support automation either starts building now or goes out of business when short certs are implemented.
Sure, but it's really nice if it does.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn't, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
The best way to control the data.
This is of waning value, but don't jump into half-assed automation early or you end up with problems like route53 hijacking.
Even that's more steps than necessary.
Just serve your website with Caddy and it handles certs for you. The config is absolutely trivial compared to Apache, nginx, etc
Red flag.
There is no security risk so bad that it can't be made worse by layering on new tech with its own issues and pitfalls. (Paraphrasing Bruce Jackson)
I use Caddy, but there are a lot of options with decent documentation.
Oof. You're gonna hit the bottom of the table with your knee like that.
What part of your security training skipped over understanding the customer's setup before making recommendations?