The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn’t, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
This will be a huge pain for the small business websites I administer, which really don’t need SSL to begin with except to please Google.
If you’re truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Archaic attitudes like yours are precisely why these restrictions are necessary.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
Not all DNS hosts support that. Webnames.ca, looking at you…
Also my workplace hosts their own dns and I think it will be a cold day in hell before they let me do automated updates.
Any DNS host that doesn’t support automation either starts building now or goes out of business when short certs are implemented.
Sure, but it’s really nice if it does.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn’t, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
The best way to control the data.
This is of waning value, but don’t jump into half-assed automation early or you end up with problems like route53 hijacking.
Even that’s more steps than necessary.
Just serve your website with Caddy and it handles certs for you. The config is absolutely trivial compared to Apache, nginx, etc
Red flag.
There is no security risk so bad that it can’t be made worse by layering on new tech with its own issues and pitfalls. (Paraphrasing Bruce Jackson)
I use Caddy, but there are a lot of options with decent documentation.
Oof. You’re gonna hit the bottom of the table with your knee like that.
What part of your security training skipped over understanding the customer’s setup before making recommendations?
All public websites need SSL.