Comment by throw0101d

1 day ago

> Haven't they always, from day one, insisted that their primary goal was to encourage (force) automation of certificate maintenance, as a mechanism to make tls ubiquitous (mandatory everywhere)?

And?

Automation sometimes breaks, both for internal reasons (OS patching) or external. For the latter, LE at some point in the past changed CDNs, and this caused JWST headers to be sent back differently, which broke different clients, e.g.:

* https://community.letsencrypt.org/t/jws-has-no-anti-replay-n...

* https://github.com/dehydrated-io/dehydrated/issues/684

Being able to get e-mails was an extra level of monitoring that was handy, even if you had automation.

1 comment

throw0101d

Reply
Jedd  14 hours ago

> And?

And you set up your own monitoring systems for your own infrastructure, as you have always done.

Or better yet, set up auto-renewal as per vendors recommendation.

Vendors - especially vendors you aren't paying - may provide some reminder services, but assuming those to be your sole method for 'managing' your renewals is a deeply poor operational position.

This is going to get really important as cert longevity gets reduced, eg https://github.com/ribbybibby/ssl_exporter