Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
But can you imagine the load on their servers should it come to this? And god forbid it goes down for a few hours and every person in the world is facing SSL errors because Let’s Encrypt can’t create new ones.
This continued shortening of lifespans on these certs is untenable at best. Personally I have never run into a situation where a cert was stolen or compromised but obviously that doesn’t mean it doesn’t happen. I also feel like this is meant to automate all cert production which is nice if you can. Right now, at my job, all cert creation requires manually generating a CSR, submit it to a website, wait for manager approval, and then wait for creation. Then go download the cert and install it manually.
If I have to do this everyday for all my certs I’m not going to be happy. Yes this should be automated and central IT is supposed to be working on it but I’m not holding my breath.
I doubt they will drop below 1-2 weeks. Any service outage would turn into a ddos when service was restored.
This is typically called a thundering herd
That was a rabbit hole. I never heard the term prior to this. Pretty interesting.
Yep. Kinda what I was thinking.
The current automation guidelines and defaults renew certs 30 days from expiry. So even today certs aren’t around for more than 60 days, it’s just that they’re valid for 90.
Additionally you can fairly easily monitor certs to get an alert if you drop below the 30 day threshold and automatic cert renewal hasn’t taken place.
I use Grafana self hosted for this with their synthetic monitoring free tier but it would be relatively trivial to roll your own Prometheus-exporter to do the same.
The entire renewal process is fairly cheap, resource wise. 7 day certificates are already a thing.
In terms of bandwidth you could easily renew a billion certificates a day over a gigabit connection, and in terms of performance I recon even without specialized hardware a single system could keep up with that, though that also depends on the signature algorithms employed in the future of course.
The dependence on these servers is the far bigger problem I'd say.
This shortening of lifetimes is a slow change, so I hope there will be solutions before it becomes an issue. Like keeping multiple copies of certificates alive with different providers, so the one in use can silently fall through when one provider stops working. Currently there are too few providers for my taste, that would have to improve for such a system to be viable.
Maybe one day you'll select a bundle of 5 certificate services with similar policies for creating your certificate the way you currently select a single one in certbot or acme.sh