this post was submitted on 16 Oct 2024
192 points (91.4% liked)

Technology

59378 readers
3617 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 71 points 1 month ago (2 children)

I'm sorry, but have you ever needed to manage some certificates for a legacy system or something that isn't just a simple public facing webserver?

Automation becomes complicated very quickly. And you don't want to give DNS mutation access to all those systems to renew with DNS-01.

[–] [email protected] 51 points 1 month ago (1 children)

Ahh yes the: we can't have self signed certificates for security reasons but also can't open up the environment to the web, and we dont have our own CA server, trifecta.

Solution: awkward, manual, certificate import process from a 3rd party vendor.

[–] [email protected] 24 points 1 month ago (1 children)

Even if you have an internal CA, few appliances support this kind of automation. At best, they have an API, and you get to write that automation yourself for each appliance.

[–] [email protected] 11 points 1 month ago

Knew a place where, for some devices, it was only available via a web interface. It was automated via WebDriver by a sysadmin that was losing his mind.

[–] [email protected] 21 points 1 month ago (1 children)

You can delegate to isolated nameservers with DNS-01, there's no need to have control over the primary zone: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation

[–] [email protected] 19 points 1 month ago (1 children)

Yes, and that is where we enter the complicated territories..

[–] [email protected] -2 points 1 month ago (2 children)

How complicated is it to have a CNAME? /s

[–] [email protected] 11 points 1 month ago

If you think it's just too easy but people are still discussing it, please entertain the notion that you may have oversimplified the situation in your assessment and that as assumptions become clarified you may yet soon understand a horror that apple can't quite grok.

[–] [email protected] 2 points 4 weeks ago (1 children)

Did we read the same article? DNS-01 challenges require updates to DNS. This means you need an API for your DNS. This means you now have to worry about DNS permissions in your application cert workflow. We’ve just massively increased blast radius! Or you could do it manually but that’s already failed.

All of this is straightforward with infrastructure-as-code. While I don’t struggle with that, I’ve watched devs and sysadmins both stare blankly at this kind of thing for days at a time.

[–] [email protected] 1 points 4 weeks ago

Updates to DNS, yes. Not necessarily to your primary zone. In other words, you don’t need access to the name servers for your highly privileged example.com zone, only the nameservers for inconsequential.example.com. With the challenge delegation you can easily narrow the scope by CNAMEing the relevant _acme-challenge enries in your primary domain once. This not only removes the need for the validator to modify your primary zone, but also scopes what subdomains it can validate, too. So the blast radius decreases.

I, too, maintain several devices that insist on having the certificates (and keys, yuck) being fed to them by hand. I automated it all, because I don’t see why a human should be in a loop of copying the secret material. Automaton is good.