I'm sorry, but has no-one heard of https://letsencrypt.org that issues certificates via API for free?
I would not be surprised if certificates at some point will be issued for each session.
this post was submitted on 16 Oct 2024
211 points (100.0% liked)
Technology
68348 readers
5420 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
I'm sorry, but have you ever needed to manage some certificates for a legacy system or something that isn't just a simple public facing webserver?
Automation becomes complicated very quickly. And you don't want to give DNS mutation access to all those systems to renew with DNS-01.
Ahh yes the: we can't have self signed certificates for security reasons but also can't open up the environment to the web, and we dont have our own CA server, trifecta.
Solution: awkward, manual, certificate import process from a 3rd party vendor.
Even if you have an internal CA, few appliances support this kind of automation. At best, they have an API, and you get to write that automation yourself for each appliance.
Knew a place where, for some devices, it was only available via a web interface. It was automated via WebDriver by a sysadmin that was losing his mind.
You can delegate to isolated nameservers with DNS-01, there's no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
Yes, and that is where we enter the complicated territories..
How complicated is it to have a CNAME? /s
If you think it's just too easy but people are still discussing it, please entertain the notion that you may have oversimplified the situation in your assessment and that as assumptions become clarified you may yet soon understand a horror that apple can't quite grok.
load more comments
(2 replies)
It's not the issuance that's the headache, it's the installation. There are more things that need valid certs than just webservers
Certbot is basically automatic, think mines on a cronjob now.
Who actually does this shit manually?
Any number of numerous appliances and hideously malformed business systems that don't have ways to automate cert changes.
Not everyone gets to work in their simple little world of standards-following lab servers.
This has a lot of "I can use the bus perfectly fine for my needs, so we should outlaw cars" energy to it.
There are several systems, like firewalls , switches, routers, proprietary systems and so on that only has a manual process for updating, that can't be easily automated.
With 45 day certs it will get that functionality real fast
Hah. Snake oil vendors will still sell snake oil, CEO will still be dazzled by fancy dinners and fast talking salesmen, and IT will still be tasked with keeping the crap running.
load more comments
(1 replies)
load more comments
(4 replies)
Part of this might be my general disdain towards sysadmins who don't know the first thing about technology and security, but I can't help but notice that article is weirdly biased:
Over the past couple of days, these unsung heroes who keep the internet up and running flocked to Reddit to bemoan their soon-to-be increasing workload.
Kind of weird to praise random Reddit users who might or might not actually sysadmins that much for not keeping up with the news, or put any kind of importance onto Reddit comments in the first place.
Personally, I'm much more partial to the opinions of actual security researchers and hope this passes. All publicly used services should use automated renewals with short lifespans. If this isn't possible for internal devices some weird reason, that's what private CAs are for.
I'm on the side of "automate it all and stop whining", but I do think it's important not to so readily dismiss the thoughts and opinions of those this directly affects in favour of the opinions of the security researchers pushing the change.
There are some legitimate issues with certain systems that aren't easily automated today. The issue is with those systems needing to be modernised, but there isn't a big push for that.
I'd be more concerned as well if this would be an over-night change, but I'd say that the rollout is slow and gradual enough that giving it more time would just lead to more procrastination instead, rather than finding solutions. Particularly for those following the news, which all sysadmins should, the reduction in certificate lifespan over time has been going on for a while now with a clear goal of automation becoming the only viable path forward.
I'll also go out on a limb and make a guess that a not insignificant amount of people only think that their "special" case can't be automated. I wouldn't even be surprised if many of those could be solved by a bog-standard reverse-proxy setup.
load more comments
(1 replies)
load more comments
(1 replies)
I'm not an "actual security researcher" but I was an "actual security officer" at a reeeeally large shop.
Yes, researchers are right. But they don't dictate what else we have to let slide to allow time to work this constantly.
And neither are they on the hook for it.
They can be pedants, but they can't do it blind.
spending $300 every 90 days instead of 365 days is so much better /s
i hate apple so much
I was in a meeting before the summer discussing this with Digicert we asked if you would need to pay every 90 days.
They answered that certs will still be bought at 1, 2, or 3 year intervals but can be renewed for free every 90 days.
It's pretty obvious when you think about it really.
Who is buying SSL certs for $300? Is this an enterprise thing? I’m using free certs on AWS. LetsEncrypt is also fine for self-hosting.
It is an enterprise thing, yes.
$300 sounds ok for an enterprise thing
It's more of an issue when it's every 90 days. Even worse is the labor cost to replace the certificate on everything that needs it every 90 days.
load more comments
(2 replies)
load more comments
(1 replies)
Any post/article with the word “slammed” in it gets a downvote and a no-read from me. That word needs to disappear from journalism/forums/life/etc.
This is the one case where I'd make an exception. I read through the threads, it got particularly heated.
As someone who creates custom domain name applications, FUCK THEM WITH A PINEAPPLE SPIKY SIDE FIRST. This problem is on par with timezones for needless complexity and communication disasters. Companys and advertisers are now adding man in the middle certs for additional data collection/visibility. If the ciphers not cracked, changing the certs exposes significantly more failure, than letting one get a little stale.
Sysadmin used slam! It's super effective!
load more comments
(8 replies)
The Register is deliberately tabloid-like in style (right up to the "red top" site banner), but is good quality (at least when I read it).
They won't write an article about science without using the word "boffins" either. It's just their thing.
Lame. 45 days? 10 days for DCV? How common are exploits involving old certificates anyway? And automated cert management is just another exploit target. Do they seriously think an attacker who pwns a server can't keep the automatic renewals running?
The solution, according to Sectigo's Chief Compliance Officer Tim Callan, is to automate certificate management — unsurprising considering the firm sells software that does just this.
Good, certificates should be automated anyways. Much more reliable than the once yearly outages because nobody renewed the thing or forgot some systems.
Good, certificates should be automated anyways.
The problem being when that can't be easily automated? Did you read the article?
They should be automated too.
The fact that I can't use terraform to automatically deploy certs to network appliances is a problem.
Technically, you shouldn't even deploy certs to network appliances or servers but they should fetch certificates automatically from a vault. I know there's minimal support for such things right now from some vendors, but that should be fixed by those vendors.
Even Microsoft supports such solutions in Azure both with PaaS components and Windows and Linux servers (in Azure or onprem) via extensions
load more comments
(1 replies)
Ugh. Righteous ideas about how things should work don't change the fact that these network appliances doing it the wrong way still have years of time left before the bean counters consider them depreciated and let us replace them. Or that we're locked into a multi-year contract with this business system that requires updating certs through a web UI.
Yes, there are almost always workarounds and ways to still automate it in the end, but then it's a matter of effort vs stability vs time savings.
I love automating manual sysadmin actions, it's my primary role on my team. Still, ignoring the complications that will unavoidably arise in trying automating this for every unique setup is incredibly foolish.
load more comments
(1 replies)
Oh yes, let me just contact the manufacturer for this appliance and ask them to update it to support automated certificate renewa--
What's that? "Device is end of life and will not receive further feature updates?" Okay, let me ask my boss if I can replace i--
What? "Equipment is working fine and there is no room in the budget for a replacement?" Okay, then let me see if I can find a workaround with existing equipme--
Huh? "Requested feature requires updating subscription to include advanced management capabilities?" Oh, fuck off...
Good incentive for the provider to fix it or go out of business.
Smells like Apple knows something but can’t say anything. What reason would they want lifespans cut so short other than they know of an attack vector that means more than 10 days isn’t safe?
AFAIK they’re not a CA that sells certs so this can’t be some money making scheme. And they’ll be very aware how unpopular 10 day lifespans would be to services that suck and require manual download and upload every time you renew.
Smells like you didn't read the article, it's an ongoing trend:
Max lifespans of certs have been gradually decreasing over the years in an ongoing effort to boost internet security. Prior to 2011, they could last up to about eight years. As of 2020, it's about 13 months.
Thank you for the smug response however I did indeed read the article and going from 13 months to 10 days is not a trend but a complete rearchitecture of how certificates are managed.
You have no idea how many orgs have to do this manually as their systems won’t enable it to be automated. Following a KBA once a year is fine for most (yet they still forget and websites break for a few days; this literally happened to NVD of all things a few weeks ago).
This change is a 36x increase in effort with no consideration for those who can’t renew and apply certs programmatically / through automation.
This change is a 36x increase in effort with no consideration for those who can’t renew and apply certs programmatically / through automation
Don't worry. All that old gear is at least 45 days old - so old - and isn't an apple product anyway probably. Ergo, support isn't their issue and you will have to take that up with your OEM because la-la-la-laaaaa, can't hear you. Wanna go ride bikes?
load more comments
(1 replies)
Automated certificate lifecycle management is going to be the norm for businesses moving forward.
This seems counter-intuitive to the goal of "improving internet security". Automation is a double-edged sword. Convenient, sure, but also an attack vector, one where malicious activity is less likely to be noticed, because actual people aren't involved in tbe process, anymore.
We've got ample evidence of this kinda thing with passwords: increasing complexity requirements and lifetime requirements improves security, only up to a point. Push it too far, and it actually ends up DECREASING security, because it encourages bad practices to get around the increased burden of implementation.
load more comments
(1 replies)
Just going to mention my zero-dependency ACME (Let's Encrypt) library: https://github.com/clshortfuse/acmejs
It runs on Chrome, Safari, FireFox, Deno, and NodeJS.
I use it to spin up my wildcard and HTTP certificates. I've personally automated it by having the certificate upload to S3 buckets and AWS Certificates. I wrote a helper for Name.com for DNS validation. For HTTP validation, I use HTTP PUT.
Why have this run in the browser? Why not just have it run on the server and renew in the background?
load more comments
(4 replies)
This'll never happen. The rest of the computing world will just say "nah, get fucked"
Sounds like free money for all those certificate authorities out there. Imma start my own CA with blackjack and hookers.
Or... They do what they did last time the lifetime was cut down from 3-10 years down to 395 days... Just issue you a new certificate when the old one runs out and up to whatever the time period you bought it for...?
Let's Encrypt isn't the only CA to use ACME, you can auto renew with basically any CA that implemented it (spoiler: most of them have)
Slams!
view more: next ›