| ▲ | donnachangstein 3 days ago |
| > Our internally provided certs of various CAs have a TTL of 72 hours and should be renewed every 48 hours. Do you promise to come back and tell us the story about when someone went on vacation and the certs issued on a Thursday didn't renew over the weekend and come Monday everything broke and no one could authenticate or get into the building? |
|
| ▲ | kam 3 days ago | parent | next [-] |
| At least that sounds like it would be a more interesting story than the one where the person who quit a year ago didn't document all the places they manually installed the 2-year certificate. |
|
| ▲ | tetha 3 days ago | parent | prev | next [-] |
| I will. We've been betting Postgres connectivity for a few hundred applications on this over the past three years. If this fucks up, it'll be known without me. |
| |
| ▲ | donnachangstein 3 days ago | parent [-] | | I'm curious what requirement drove you to such arbitrarily small TTL, other than "because we can" dick-measuring geekery. I applaud you for sticking to your guns though. | | |
| ▲ | tetha 3 days ago | parent [-] | | At the end of the day, we were worried about exactly these issues - if an application has to reload certs once every 2 years, it will always end up a mess. And the conventional wisdom for application management and deployments is - if it's painful, do it more. Like this, applications in the container infrastructure are forced to get certificate deployment and reloading right on day 1. And yes, some older application that were migrated to the infrastructure went ahead and loaded their credentials and certificates for other dependencies into their database or something like that and then ended up confused when this didn't work at all. Now it's fixed. |
|
|
|
| ▲ | wbl 3 days ago | parent | prev [-] |
| Why would the cert renewal be manual? |
| |
| ▲ | alexchamberlain 3 days ago | parent [-] | | That's how it used to be done. Buy a certificate with a 2 year expiry and manually install it on your server (you only had 1; it was fine). | | |
| ▲ | progmetaldev 3 days ago | parent [-] | | I can tell you that there are still quite a few of us out here that are doing the once a year manual renewal. I have suggested a plan to use Let's Encrypt with automated renewal, but for some companies, they are using old technology and/or old processes that "seniors" are comfortable with since they understand them and suggesting a better process isn't always looked favorably upon (especially if your job relies on the manual renewal process as one of those cryptic things only IT can do). |
|
|
