• JackbyDev@programming.devEnglish
    42·
    3 days ago

    Let’s Encrypt’s free and automatic certificate management has been around since November 16th, 2015, by the way.

      • JackbyDev@programming.devEnglish
        2·
        2 days ago

        You don’t own the root certificate even when you aren’t using Let’s Encrypt, unless you self sign or want to become a certificate authority. Am I missing something? Is there some controversy about Let’s Encrypt I’m unaware of?

        • slowcakes@programming.dev
          1·
          1 day ago

          I just mean they own it, I know that you can’t decrypt encrypted messages with root certificate, but you can abuse it in the case of being man in the middle. Of course I don’t think that let’s encrypt are doing that, but there other entities that would really enjoy having that toolset for hundred of millions of services that rely on let’s encrypt.

          And if you look at the ones who sponsor Lets encrypt, I don’t think that any of them would bat an eye (except for EFF) if for instance the pedophile chief decided that they need to change leadership. Or hey, we NSA also have access to the credentials to the root certificate.

          Something being free is not always the best option, when it comes to security. And it’s not impossible that such a large entity can become compromised through pressure, especially when they live on support from private organizations, who have time and time again, shown that they are not trust worthy and would choose to do unethical thing, if that benefits them.

          • JackbyDev@programming.devEnglish
            1·
            1 day ago

            I’m a little confused why you view this as an issue because in the alternative, manually installing certificates instead of using Let’s Encrypt’s tool, you still wouldn’t own the root certificate.

    • mlg@lemmy.worldEnglish
      2·
      2 days ago

      Let’s Encrypt has also started offering 7 day certs for people who are confident that they spent more than 5 minutes to setup their cert management lol.

    • LurkingLuddite@piefed.socialEnglish
      542·
      4 days ago

      Not just with their web hosting. I’ve had so many updates break random crap it’s not even funny. Recently, a random update I did not approve suddenly had kwallet not working. A core piece of a DE they provide a bundled version for. I had to start kwalletd myself every time I wanted to use it.

      It didn’t start that way on the fresh install. I didn’t do anything myself except reboot. Then suddenly my scripts that nab from the keystore are failing and asking me for passwords and what a mess.

      That’s just a more recent example. I remember having quite a few random issues on update in the past, though the only other one I explicitly remember is the DE suddenly failing to start. Like, at all. Luckily I had a recent timeshift backup saved elsewhere, restored, and ignored the update notifications for a long while…

        • eli@lemmy.world
          9·
          3 days ago

          I tried it out like 5 years ago. A month after using it a random update broke the DE.

          Right then and there I wrote off the whole distro and haven’t touched it since.

          I don’t know why people are even using it all these years later.

        • Eldritch@piefed.worldEnglish
          25·
          3 days ago

          The one thing manjaro had going for it was it was easy install arch. Now we have endeavor, garuda, cachy, and several other easy install arch. Including archinstall. Who all follow vanilla arch much closer, not introducing major breaking changes. There’s literally no good reason to still use manjaro.

          That said the servo aur is currently broken under catchy. Unable to update for the last couple of weeks. But that’s been my only hiccup. And a negligible one at that.

  • NewNewAugustEast@lemmy.zip
    1161·
    4 days ago

    Wow. How does this happen when letsencrypt exists? Or certbot?

    More importantly… How does this happen again?

      • Ŝan • 𐑖ƨɤ@piefed.zipEnglish
        29·
        4 days ago

        There is a significant amount of infrastructure that does not support cert bot out there.

        Example? I believe you, I just can’t imagine what would preclude a public-facing server from using Caddy or certbot. Certainly not for a project maintaining an Arch-derivative distribution.

        • lankydryness@lemmy.world
          14·
          4 days ago

          I don’t have a concrete example but I’ve talked to an online friend who works in IT and he claims the majority of his work is just renewing and applying certificates. Now he made it sound like upper management wanted them to specifically use a certain certificate provider, and I don’t know their exact setup. I of course have mentioned certbot and letsecrypt to him but yea, he’s apparently constantly managing certs. Whether that’s due to lack of motivation to automate or upper managements dumb requests idk

          • RobotToaster@mander.xyz
            19·
            4 days ago

            LetsEncrypt only does level one (domain validated certificates), it doesn’t offer organisation or extended validation.

            Basically they only prove you control example.com, they don’t prove you are example PLC.

          • Ŝan • 𐑖ƨɤ@piefed.zipEnglish
            64·
            3 days ago

            Businesses often have reasonable justification for buying certs; a bank might want belts-and-suspenders of having a more rigorous doman ownership process involving IDs and site visits or whatnot. It’s a space where cert providers can add value. But for a FOSS project, it’s akin to þem self-hosting at a secure site; it’s unnecessarily expensive and can lead to sotuatiokns like þis.

            • Eufalconimorph@discuss.tchncs.de
              1·
              2 days ago

              Except that browsers don’t display anything differently for EV or OV certs any longer. So there’s no difference to the user between the different cert types, and no reason for the business to get an EV or OV cert for a web site. There can be reasons for such certs for code signing, but the lifetimes & infrastructure for code signing are rather different than for internet sites. Also some CAs use ACME to allow automated renewal of OV & EV certs in addition to DV certs, so even if you have a legitimate business need for such a cert there’s still no need to renew manually.

              Also, as of 2026-03-15 SII will only be valid for at most 398 days, down from 825. Max TLS cert lifetime will drop from 398 days to 200 days. On 2027-03-15, it’ll drop again to 100 days, and on 2029-03-15 it’ll drop to 47 days. Even for EV & OV certs. 47 days.

      • zr0@lemmy.dbzer0.comEnglish
        211·
        4 days ago

        Uhm. “A significant amount of infrastructure”? Uhhhm. Put a reverse proxy in front of your webserver? Problem solved? Or use log analyzers? With alerts?

        There is literally no excuse.

        • Kushan@lemmy.worldEnglish
          2·
          3 days ago

          I think he’s referring to certain enterprise switches and other networking gear that has basically zero support for automation.

          For me personally, I would be replacing that equipment but some businesses would rather pay a few hundred bucks every year + manpower to replace the certs than a few thousand once to replace the equipment.

          • cole@lemdro.idEnglish
            8·
            3 days ago

            …you don’t need your networking gear to support this in any way

              • Eufalconimorph@discuss.tchncs.de
                1·
                2 days ago

                The only network you’re likely to use that actually follows the OSI model is the CAN bus inside a car. And that’s starting to get replaced by DoIP, which uses the IP model (link layer, internet layer, transport layer, application layer, note the lack of session & presentation layers and combination of the physical & data-link layers into the link layer).

      • NewNewAugustEast@lemmy.zip
        19·
        4 days ago

        I am trying to figure out how my little non interesting domains have kept certified for decades now without lapsing, while they can’t seem to keep it together even after a failure.

        Hard to imagine that they are so big that people simply forgot to get notices or manage the certs after it has happened so many times before.

      • CriticalMiss@lemmy.world
        5·
        3 days ago

        I’m not aware of any web server that’s still maintained and has wide adoption (so no web servers written by a teenager in Haskell to just fuck around and figure out how web servers work) that doesn’t support the ACME protocol. I highly doubt Manjaro doesn’t use something mainline like nginx.

        The renew failing should’ve sent someone a warning that manual intervention is required. This happens from time to time but the fact this went longer than a few minutes unfortunately says a lot about the project.

      • surewhynotlem@lemmy.world
        81·
        4 days ago

        There is a significant amount of infrastructure that does not support cert bot out there.

        Then there should be a significant amount of infrastructure behind something like caddy.

      • Possibly linux@lemmy.zipEnglish
        41·
        3 days ago

        There is a significant amount of infrastructure that does not support cert bot out there.

        Skill issue

  • SavvyWolf@pawb.socialEnglish
    261·
    3 days ago

    It’s still technically automaton if your workflow depends on people poking you when things break.

    • angel@sopuli.xyz
      55·
      4 days ago

      At least the sixth time even. Four cases are documented here and another one was just three months ago. This last link points to reddit, but there a manjaro maintainer also explains why it keeps happening:

      Politics within the project are the issue.

      The fix for these issues have been build for about a year already. But those who have access to stuff like DNS and hosting are currently incapable of making any agreement on any topic preventing trivial fixes such as this from being implemented.