If you’re truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Oof. You’re gonna hit the bottom of the table with your knee like that.
What part of your security training skipped over understanding the customer’s setup before making recommendations?
sugar_in_your_tea@sh.itjust.works 6 days ago
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
paraphrand@lemmy.world 6 days ago
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
sugar_in_your_tea@sh.itjust.works 6 days ago
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
rbos@lemmy.ca 6 days ago
Not all DNS hosts support that. Webnames.ca, looking at you…
Also my workplace hosts their own dns and I think it will be a cold day in hell before they let me do automated updates.
exu@feditown.com 6 days ago
Any DNS host that doesn’t support automation either starts building now or goes out of business when short certs are implemented.
sugar_in_your_tea@sh.itjust.works 6 days ago
Sure, but it’s really nice if it does.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn’t, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
corsicanguppy@lemmy.ca 6 days ago
The best way to control the data.
This is of waning value, but don’t jump into half-assed automation early or you end up with problems like route53 hijacking.
Rogue@feddit.uk 6 days ago
Even that’s more steps than necessary.
Just serve your website with Caddy and it handles certs for you. The config is absolutely trivial compared to Apache, nginx, etc
corsicanguppy@lemmy.ca 6 days ago
Red flag.
There is no security risk so bad that it can’t be made worse by layering on new tech with its own issues and pitfalls. (Paraphrasing Bruce Jackson)
sugar_in_your_tea@sh.itjust.works 6 days ago
I use Caddy, but there are a lot of options with decent documentation.