Hacker News new | ask | show | jobs
by ocdtrekkie 80 days ago
Anyone who thinks this is that trivial has never worked in enterprise IT.

Automated certificate renewal is maybe supported by 10% of services I operate where I work. And we're pretty modern. An organization with more legacy platforms is likely at "nothing supports automated renewal".

We are a decade or two out from 47 day expiry being a sane concept.
4 comments
crote 80 days ago
This is exactly why CAs are slowly reducing cert validity.

With a 47-day validity already on the calendar for 2029, nobody in their right mind is going to onboard a new service/device without automated renewal in 2026. Same with any kind of contract renewal: are you going to risk staying with the current vendor who is "considering" supporting ACME "at some point in the future", or would you rather ask their competitor who already supports it to make you a nice deal to convince your manager?

Sure, automated cert renewal might be supported by 10% of services right now, but what is that going to look like a couple of years from now when 100% of businesses are pestering their vendors for it, and leaving for competitors if they can't deliver?

link
wiether 80 days ago
> nobody in their right mind is going to onboard a new service/device without automated renewal in 2026

We're talking about people that didn't bother about an event scheduled in 365 days.

Why would they care about something that may happen in 2029?

No later than last week I had to setup a service using a 365 days cert that was provided to me as a ZIP archive.

The provider have everything in place to set automated renewal.

But they decided against it because it forces providing us with (scoped) API access to the provider.

Instead they put a reminder in Outlook and forgot about it.

Hopefully in ~50 weeks from now someone will see the reminder, decide to act on it, find someone available with access to the provider to renew the certs and someone available that'll read the doc I had to wrote explaining how to put new certs in place, someone willing to schedule the operation... all of that before the certs do actually expire.

link
Koffiepoeder 80 days ago
Can confirm. Have encountered many on-prem and lift-and-shift solutions with no automated means of updating certs. The worst contenders are usually 1) executables on windows server (version 2012, of course), 2) old, obscure or very outdated database servers and 3) custom hardware firewalls. They are the worst.

To make things easy they usually all use different cert formats as well, requiring you to have an arsenal of conversion scripts ready.

link
ocdtrekkie 80 days ago
Even plain IIS still doesn't support ACME on Windows Server 2025 without you grabbing some random scripts off the Internet written by people you don't know.

But yeah a lot of Windows server software uses inbuilt web servers with no ability to tweak or tamper beyond what the application exposes in its own settings panel.

link
bigfatkitten 80 days ago
> 3) custom hardware firewalls.

In this case, “custom” means firewalls made by pretty much any of the major vendors.

Cisco, Juniper, Fortinet and Palo Alto have a lot to answer for with their laziness. Cisco and Fortinet added support only recently. Palo and Juniper haven’t bothered at all.

link
nik282000 80 days ago
That's why I suggested that a week of dev time woule be reasonable for automating the task.

I work in a multinational nightmare corp, we still have a mission critical Win95 machine.

link
toddgardner 73 days ago
I am talking to so many mid-sized IT shops that still have lots of legacy on-prem windows systems or specialty software where Certbot or ACME renewals is hard. This sort of thing gets dismissed as "just use certbot" in threads like these, and its infuriating.

We started building CertKit (https://www.certkit.io/) to centralize ACME for just these sort of things.

link