And every single time there’s a compromised or busted CA, or some certificate flaw, these same incompetent sysadmins get up in arms about how they cannot possibly perform one of the most basic and fundamental tasks of running connected services in less than a week.
This is a task that should be almost entirely if not completely automated, and should take in the order of hours.
This is their own fault.
They’ve had well over a decade of knowing they had to fix this fundamental failure in their systems and they did nothing.
That this change is a problem demonstrates incompetence. if it’s actually surprising (and it’s not just “we bitched before and it worked”) then they’re actually literal morons: this has been best practice for over a decade and repeatedly and clearly stated as what the future was going to be.
This change is not new.
The existential threat is stuff like appliances or servers that haven’t had a cert rotation in 6 years and now no one remembers the password or whatever. Now people will have to log in every 45 days, so that’s much less likely.
I’m not really sure it is Apples or the CAs place to require that, but I think that’s the logic.
Right now, for a device to get a certificate via ACME, it needs to do one of:
(a) Be reachable, from the public Internet, in accordance with its A and/or AAAA records. This is a nonstarter for, say, a printer or switch.
(b) Be able to change a DNS record. This is doable if the device has outgoing Internet access and appropriate keys, but safely issuing those keys is not cleanly and uniformly possible across authoritative DNS servers. And there is nothing resembling a standard protocol to actually ask for the DNS-01 magic record to be installed. Do you really want every appliance to implement every plugin in this list:
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-...
(c) Get some other agent to do (a) or (b) and issue the certificate to the device. Again, there is no standard here.
This could be SO much better if there was, for example:
(d) A complete, standard three-way protocol between the device that needs a certificate, the DNS provider, and the CA that would result, cleanly, in a certificate, and
(e) A fully standard way to do this with the help of a proxy that an communicate with the device, the DNS provider, and the CA, but without the device having any Internet access at all.
Then an administrator could set up a certificate proxy, enroll all their devices with the proxy, and get them certificates, with automatic renewal.
For (b), I don't see why you couldn't install the required records using dynamic DNS, which is already widely implemented and deployed in other contexts. (It's the RFC 2136 item on the Certbot list.) It doesn't seem to be very commonly offered by DNS providers, though. It does work if you maintain the zone locally and use zone transfer (presumably with TSIG for authentication …) to publish to public DNS servers (if you don't want to run the public DNS servers yourself).
I think this space is a bit of a mess because no one is really expected to put this together themselves, rather they should get everything (mail hosting, web hosting, plus certificates) from a service provider. It's a wonder that grassroots participation is still possible at all.
(e) also sounds a lot like just running one of the existing certbot plugins on the proxy unless the appliance can’t be reverse proxied.
As for a proxy, how exactly would you deploy certificates, via proxy, automatically renewing, to, say, a network switch, two different brands of printer, a camera, and a pile of containers and VMs, all from different vendors? Sure, you can hack something up, but it will be a kludge and it will not scale.
Technically, it's not required for anyone but you to validate ownership of names further down the DNS tree once you have shown control over the DNS tree further up. Maybe combine it with the public suffix list to discourage misuse by certain service providers.
They will not login every 45 days.
What they will do is install a self-signed cert and train users to click "Trust" the first time they go there. Code will be updated to simply have the verify flag set to false in the TLS API call.
There's lots of stuff out there that does not support ACME/SCEP/whatever, and will never have it, and ain't nobody got time for manual updates.
It can also be a case of "we no longer support connections from macOS", due to them pulling shit like this.
It's not. It's just patronizing one-size-fits-all security tunnel-visioners doing their patronizing one-size-fits-all security tunnel-vision thing.
Thank you SSL/TLS cert lifespan cuts for making this a reality.
Well done, everyone.
While yes there are lazy/incompetent sysadmins, there are also lazy/incompetent engineers, marketers, etc this is not a magic sysadmin only thing.
I suspect that in most of the places where their are sysadmins/IT depts in this situation, they've been trying to do something about this for years, while the management of the company has refused to provide the required support or funding for the work because it's not "necessary".
In case there is a cryptographic breakthrough and we can't be sure we can do asymmetric cryptography securely anymore, we'd have to switch to something like that anyway.
If you are unable to roll certificates within a few hours your systems are not set up properly, and you cannot respond appropriately to compromise. The problem with the constant push back of “oh it’s hard to manually perform a certificate update over our services” is fucking stupid and needs to stop. If you cannot roll your certificates regularly without a problem, then I sure as shit doubt you can update your systems in response to an actual urgent issue.
The problem is not onerous rules from Apple, the problem is you’ve spent decades complaining about it being too hard to do basic updates to your services and software, and then every time you get an extension to fix your broken ass systems you go “sweet” and don’t fix the fucking problem.
JFC the incompetence.
A very uncool thing to do when the application only gets updated about once a year. :(
More discussion: https://news.ycombinator.com/item?id=41845885