Technology

58743 readers

4198 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

185

Sysadmins slam Apple’s SSL/TLS cert lifespan cuts (www.theregister.com)

submitted 2 days ago by [email protected] to c/[email protected]

71 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 64 points 2 days ago (18 children)

I'm sorry, but has no-one heard of https://letsencrypt.org that issues certificates via API for free?

I would not be surprised if certificates at some point will be issued for each session.

[–] [email protected] 69 points 2 days ago (6 children)

I'm sorry, but have you ever needed to manage some certificates for a legacy system or something that isn't just a simple public facing webserver?

Automation becomes complicated very quickly. And you don't want to give DNS mutation access to all those systems to renew with DNS-01.

[–] [email protected] 21 points 1 day ago (1 children)

You can delegate to isolated nameservers with DNS-01, there's no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

[–] [email protected] 18 points 1 day ago (1 children)

Yes, and that is where we enter the complicated territories..

[–] [email protected] 0 points 1 day ago (1 children)

How complicated is it to have a CNAME? /s

[–] thesmokingman 2 points 6 hours ago (1 children)

Did we read the same article? DNS-01 challenges require updates to DNS. This means you need an API for your DNS. This means you now have to worry about DNS permissions in your application cert workflow. We’ve just massively increased blast radius! Or you could do it manually but that’s already failed.

All of this is straightforward with infrastructure-as-code. While I don’t struggle with that, I’ve watched devs and sysadmins both stare blankly at this kind of thing for days at a time.

[–] [email protected] 1 points 1 hour ago

Updates to DNS, yes. Not necessarily to your primary zone. In other words, you don’t need access to the name servers for your highly privileged example.com zone, only the nameservers for inconsequential.example.com. With the challenge delegation you can easily narrow the scope by CNAMEing the relevant _acme-challenge enries in your primary domain once. This not only removes the need for the validator to modify your primary zone, but also scopes what subdomains it can validate, too. So the blast radius decreases.

I, too, maintain several devices that insist on having the certificates (and keys, yuck) being fed to them by hand. I automated it all, because I don’t see why a human should be in a loop of copying the secret material. Automaton is good.

load more comments (4 replies)

load more comments (15 replies)