[Cryptography] Apple's 13-month certificate policy

[John Newman]

At 8:13 PM, Raymond Burkholder <ray at oneunified.net> wrote:
> 
> 
>> On 2020-02-22 4:55 p.m., John-Mark Gurney wrote:
>> Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23 -0500:
>> 
>> Overall, it's a good thing, and IMO, even 90 days is a bit long.  With
>> automated renewal, 7-30 days is more than long enough.
> 7 - 30 days would be painful.  Yes some systems do have automation. But there are other systems with complicated relationships:  a dns server over there, a web server over here, and automation/manual system somewhere else, ...
> 
> And systems protected by certificates aren't just web servers sitting on the same server as the dns server for the TXT based authorization.  There are email servers involved with certificates. No web front end.
> 


I’ve found myself doing some odd things to get certbot to generate LE certs for hosts that are either internal using RFC1918  addresses, or hosts that can’t run a web server or certbot for whatever reason. 

Basically, I setup certbot to run on my name server, where I installed nginx, and where I make temporary zone changes so that whatever host I need the cert for temporarily has an A record that lives on my name server.  It’s obviously a PITA, particularly having to renew the certs, which means making (then reverting) the zone changes at the same time every ~180 days, and it would never fly as a solution at the office. 

But it’s mostly scripted and keeping me going on my personal stuff ;)

 
> 
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography