The last 3 re-signings were done on the 1st day of each month. I would be surprised if @dergigi forgot to do it in November and 12 days have already passed in December as well.
To be fair, three months is a long time to forget to do something you only do four times a year.
It's like renewing SSL certificates. It took me a long time to automate their renewal, even though it was always very annoying to SSH into my server and run the script. But I always put off setting up automation because I would also have to test that it actually worked, etc. (or some excuse like that), after I had renewed them again manually.
So not sure if I would trust, but it's definitely plausible imo that it was simply forgotten.
Everything below is observations, not accusations.
renewing SSL certificates
We should not automate SSL renewal anyway because automating means exposing credentials somewhere. Even if you use an HSM. Please also consider to not have they key that is authorized to renew your cert on the server that contains the SSL key.
it's definitely plausible
A process execution failure is something that should be prevented in every org. As an individual, whatever, it's plausible and forgivable. For an org, we generally call this negligence, which is not in any way forgivable.
Please also consider to not have they key that is authorized to renew your cert on the server that contains the key.
Mhh, I use certbot with HTTP challenges, and I have not considered this, thank you!
But I wonder how important it is, because only root on my server can access them. How important are SSL certificates, if the server the website is running on is fully compromised?
https://pastebin.com/nSDL7qxb is a quick hack to serve you a prometheus endpoint for cert expiry. Ingest with prom, then grafana or something on top and then have it send you alerts at 7 days, 3 days, 1 day, 12 hours, 6 hours, 5 hours, 4,3,2,1, 30 mins, 10 mins, and a dead letter at 0 lol
This has served me well for a year or more! Very simple, and it's all I need, at least so far.
I used to run Grafana and Prometheus to track CPU, memory, disk I/O, network I/O of my machines, but I realized it's more cool to look at than actually useful for my needs.
Instead, I now have alerts with ntfy.sh for most things I need to respond to.
For example, this is the function I use to keep track of expiring SSL certificates:
check_ssl_expiry () {
DOMAIN="$1"
WARNING_THRESHOLD=30
TIMEOUT=10
printf "checking ssl expiry of $DOMAIN ... "
CERT=$(echo "QUIT" | timeout $TIMEOUT openssl s_client -connect "$DOMAIN":443 2>/dev/null)
RET=$?
if [ $RET -eq 124 ]; then
printf_timeout $TIMEOUT
ntfy "ssl connect timeout" "$DOMAIN
timeout after $TIMEOUT seconds"
return 124
fi
if [ ! $RET -eq 0 ]; then
printf_color "openssl returned exit code $RET\n" "red"
ntfy "ssl connect failed" "$DOMAIN: openssl returned exit code $RET"
return 1
fi
EXPIRY=$(echo "$CERT" | openssl x509 -noout -enddate | cut -d'=' -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
if [ $DAYS_LEFT -lt $WARNING_THRESHOLD ]; then
printf_color "$DAYS_LEFT days left\n" "red"
ntfy "ssl expiry" "$DOMAIN: $DAYS_LEFT day(s) left"
return 1
fi
printf_color "$DAYS_LEFT days left\n" "green"
}
I used to run Grafana and Prometheus to track CPU, memory, disk I/O, network I/O of my machines, but I realized it's more cool to look at than actually useful for my needs.
I've gone off it in the past, and had some times of vacuum between solutions before it was a thing. However all my software uses prometheus for monitoring and I don't write anything without finegrained telemetry anymore, so I just have a stable environment for this now.
For a DNS challenge, doesnโt my DNS provider need to provide the correct API?
But I just looked into it again, and seems like Namecheap actually does provide the API I need. All I need is a way to set TXT records, right? For some reason, the last time I looked into it, I came to the conclusion I can't use DNS challenges with Namecheap ๐ค
DNS for https://ekzy.is/ is from ISNIC though, but I think their EPP API might also be what I need for DNS challenges.
Since, as mentioned, this is stuff that is only important every few months, it's hard for me to have the discipline or motivation to properly look into it haha
I think this is for setting the NS records with the registrar though? I could be mistaken - never have dealt with .is domains.
Since, as mentioned, this is stuff that is only important every few months, it's hard for me to have the discipline or motivation to properly look into it.
I get that. I currently manage 20+ domains with certbot so it would be a like weekly exercise, as somehow I manage to have them diverge on expiry over time, even when sometimes I try to re-cluster them to expire on the same date.
certbotwith HTTP challenges, and I have not considered this, thank you!HOSTS=www.domaina.com,domainb.com,yourotherdomain.org.isdomains.