• Antithetical@lemmy.deedium.nl
      link
      fedilink
      English
      arrow-up
      77
      arrow-down
      5
      ·
      1 month ago

      I’m sorry, but have you ever needed to manage some certificates for a legacy system or something that isn’t just a simple public facing webserver?

      Automation becomes complicated very quickly. And you don’t want to give DNS mutation access to all those systems to renew with DNS-01.

      • anonymous111@lemmy.world
        link
        fedilink
        English
        arrow-up
        53
        arrow-down
        2
        ·
        1 month ago

        Ahh yes the: we can’t have self signed certificates for security reasons but also can’t open up the environment to the web, and we dont have our own CA server, trifecta.

        Solution: awkward, manual, certificate import process from a 3rd party vendor.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          24
          ·
          1 month ago

          Even if you have an internal CA, few appliances support this kind of automation. At best, they have an API, and you get to write that automation yourself for each appliance.

          • UnsavoryMollusk@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 month ago

            Knew a place where, for some devices, it was only available via a web interface. It was automated via WebDriver by a sysadmin that was losing his mind.

          • farcaller
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            6
            ·
            1 month ago

            How complicated is it to have a CNAME? /s

            • corsicanguppy@lemmy.ca
              link
              fedilink
              English
              arrow-up
              11
              ·
              1 month ago

              If you think it’s just too easy but people are still discussing it, please entertain the notion that you may have oversimplified the situation in your assessment and that as assumptions become clarified you may yet soon understand a horror that apple can’t quite grok.

            • thesmokingman@programming.dev
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 month ago

              Did we read the same article? DNS-01 challenges require updates to DNS. This means you need an API for your DNS. This means you now have to worry about DNS permissions in your application cert workflow. We’ve just massively increased blast radius! Or you could do it manually but that’s already failed.

              All of this is straightforward with infrastructure-as-code. While I don’t struggle with that, I’ve watched devs and sysadmins both stare blankly at this kind of thing for days at a time.

              • farcaller
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 month ago

                Updates to DNS, yes. Not necessarily to your primary zone. In other words, you don’t need access to the name servers for your highly privileged example.com zone, only the nameservers for inconsequential.example.com. With the challenge delegation you can easily narrow the scope by CNAMEing the relevant _acme-challenge enries in your primary domain once. This not only removes the need for the validator to modify your primary zone, but also scopes what subdomains it can validate, too. So the blast radius decreases.

                I, too, maintain several devices that insist on having the certificates (and keys, yuck) being fed to them by hand. I automated it all, because I don’t see why a human should be in a loop of copying the secret material. Automaton is good.

    • RegalPotoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 month ago

      It’s not the issuance that’s the headache, it’s the installation. There are more things that need valid certs than just webservers

        • wizardbeard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          22
          ·
          1 month ago

          Any number of numerous appliances and hideously malformed business systems that don’t have ways to automate cert changes.

          Not everyone gets to work in their simple little world of standards-following lab servers.

        • Terrasque@infosec.pub
          link
          fedilink
          English
          arrow-up
          10
          ·
          1 month ago

          This has a lot of “I can use the bus perfectly fine for my needs, so we should outlaw cars” energy to it.

          There are several systems, like firewalls , switches, routers, proprietary systems and so on that only has a manual process for updating, that can’t be easily automated.

            • Terrasque@infosec.pub
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 month ago

              Hah. Snake oil vendors will still sell snake oil, CEO will still be dazzled by fancy dinners and fast talking salesmen, and IT will still be tasked with keeping the crap running.

    • Pacmanlives@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Does not work well for large corporate roll outs. Last I checked no way to auto-enroll on a NetScaler or an F5

    • thesmokingman@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      AWS makes this impossible in a few places such as a fair number of ACM use-cases.

      I think your cert-per-session idea is interesting. We’d need significant throughput and processing boosts to make that happen, probably at least on the order of 10X computing speeds and 10X transmission speeds across the board minimum. These operations are computationally intense and add data to the wire so, for example, a simple Lemmy server with hundreds of users slows to a crawl and a larger site eg Mastodon goes to dialup speeds or worse. You can test at home by trying to generate an x509 self-signed cert before connecting to a website every time.

      • Onno (VK6FLAB)@lemmy.radio
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Well AWS ACM already automates this, so if the renewal period gets shortened, I’m guessing that this will be updated to suit, unless I’m misunderstanding your point.

        I hadn’t considered the CPU load, but that’s a fair point. I’m guessing that a suitable piece of code will utilise specialised hardware, or perhaps leverage the GPU or just in time SSL certificates will become a thing.