misk@sopuli.xyz to Technology@lemmy.worldEnglish · 5 hours agoSysadmins slam Apple’s SSL/TLS cert lifespan cutswww.theregister.comexternal-linkmessage-square19fedilinkarrow-up151arrow-down14
arrow-up147arrow-down1external-linkSysadmins slam Apple’s SSL/TLS cert lifespan cutswww.theregister.commisk@sopuli.xyz to Technology@lemmy.worldEnglish · 5 hours agomessage-square19fedilink
minus-squareAntitheticalAlinkfedilinkEnglisharrow-up31arrow-down1·4 hours agoI’m sorry, but have you ever needed to manage some certificates for a legacy system or something that isn’t just a simple public facing webserver? Automation becomes complicated very quickly. And you don’t want to give DNS mutation access to all those systems to renew with DNS-01.
minus-squareanonymous111@lemmy.worldlinkfedilinkEnglisharrow-up4arrow-down1·37 minutes agoAhh yes the: we can’t have self signed certificates for security reasons but also can’t open up the environment to the web, and we dont have our own CA server, trifecta. Solution: awkward, manual, certificate import process from a 3rd party vendor.
minus-squarefarcaller@fstab.shlinkfedilinkEnglisharrow-up6·3 hours agoYou can delegate to isolated nameservers with DNS-01, there’s no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
minus-squareAntitheticalAlinkfedilinkEnglisharrow-up10·2 hours agoYes, and that is where we enter the complicated territories…
minus-squarefarcaller@fstab.shlinkfedilinkEnglisharrow-up1arrow-down1·36 minutes agoHow complicated is it to have a CNAME? /s
I’m sorry, but have you ever needed to manage some certificates for a legacy system or something that isn’t just a simple public facing webserver?
Automation becomes complicated very quickly. And you don’t want to give DNS mutation access to all those systems to renew with DNS-01.
Ahh yes the: we can’t have self signed certificates for security reasons but also can’t open up the environment to the web, and we dont have our own CA server, trifecta.
Solution: awkward, manual, certificate import process from a 3rd party vendor.
You can delegate to isolated nameservers with DNS-01, there’s no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
Yes, and that is where we enter the complicated territories…
How complicated is it to have a CNAME? /s