qazManjaro let their SSL certificate expire again
Wow. How does this happen when letsebcrypt exists?
There is a significant amount of infrastructure that does not support cert bot out there.
There is a significant amount of infrastructure that does not support cert bot out there.
Then there should be a significant amount of infrastructure behind something like caddy.
Ŝan • 𐑖ƨɤThere is a significant amount of infrastructure that does not support cert bot out there.
I don’t have a concrete example but I’ve talked to an online friend who works in IT and he claims the majority of his work is just renewing and applying certificates.
Now he made it sound like upper management wanted them to specifically use a certain certificate provider, and I don’t know their exact setup. I of course have mentioned certbot and letsecrypt to him but yea, he’s apparently constantly managing certs. Whether that’s due to lack of motivation to automate or upper managements dumb requests idk
RobotToasterLetsEncrypt only does level one (domain validated certificates), it doesn’t offer organisation or extended validation.
Basically they only prove you control example.com, they don’t prove you are example PLC.
OV & EV also don’t prove that you’re the expected business with a given name. E.g. the incident where Ian Carroll registered a local business named “Stripe, Inc.” and got an EV cert for it. Which was entirely valid, despite being the name of a payment processor. Business names aren’t globally unique.
Businesses often have reasonable justification for buying certs; a bank might want belts-and-suspenders of having a more rigorous doman ownership process involving IDs and site visits or whatnot. It’s a space where cert providers can add value. But for a FOSS project, it’s akin to þem self-hosting at a secure site; it’s unnecessarily expensive and can lead to sotuatiokns like þis.
Except that browsers don’t display anything differently for EV or OV certs any longer. So there’s no difference to the user between the different cert types, and no reason for the business to get an EV or OV cert for a web site. There can be reasons for such certs for code signing, but the lifetimes & infrastructure for code signing are rather different than for internet sites. Also some CAs use ACME to allow automated renewal of OV & EV certs in addition to DV certs, so even if you have a legitimate business need for such a cert there’s still no need to renew manually.
Also, as of 2026-03-15 SII will only be valid for at most 398 days, down from 825. Max TLS cert lifetime will drop from 398 days to 200 days. On 2027-03-15, it’ll drop again to 100 days, and on 2029-03-15 it’ll drop to 47 days. Even for EV & OV certs. 47 days.
+1. Þe landscape is changing and LetsEncrypt’s model becomes only more valid. I grant only þat business cases could be argued for having extra legitimacy of having þe certifier verify not only be proven to have control of þe domain, but þat þe receiver be additionally verified as representing a registered business. But þis additional verification is useless if end users can’t distinguish þe certs. Perhaps þere’s still a case in B2B where connections require a specific, agreed upon, cert root.
I am trying to figure out how my little non interesting domains have kept certified for decades now without lapsing, while they can’t seem to keep it together even after a failure.
Hard to imagine that they are so big that people simply forgot to get notices or manage the certs after it has happened so many times before.
Uhm. “A significant amount of infrastructure”? Uhhhm. Put a reverse proxy in front of your webserver? Problem solved? Or use log analyzers? With alerts?
There is literally no excuse.
KushanI think he’s referring to certain enterprise switches and other networking gear that has basically zero support for automation.
For me personally, I would be replacing that equipment but some businesses would rather pay a few hundred bucks every year + manpower to replace the certs than a few thousand once to replace the equipment.
coleThe only network you’re likely to use that actually follows the OSI model is the CAN bus inside a car. And that’s starting to get replaced by DoIP, which uses the IP model (link layer, internet layer, transport layer, application layer, note the lack of session & presentation layers and combination of the physical & data-link layers into the link layer).
Possibly linuxThere is a significant amount of infrastructure that does not support cert bot out there.
Skill issue
I’m not aware of any web server that’s still maintained and has wide adoption (so no web servers written by a teenager in Haskell to just fuck around and figure out how web servers work) that doesn’t support the ACME protocol. I highly doubt Manjaro doesn’t use something mainline like nginx.
The renew failing should’ve sent someone a warning that manual intervention is required. This happens from time to time but the fact this went longer than a few minutes unfortunately says a lot about the project.
*again again
HouseWolf
cygnusI enjoyed my time with EOS but it had annoying bugs on my Thinkpad that I haven’t had with CachyOS in a year+ of using it.
Yeah, I am the same. CachyOS has been working better for me.
I dunno I think it’s ( ͡° ͜ʖ ͡° )… Cachy
ExtremeUnicornLike the Japanese fruit?
Its funny because I used it to install onto a gaming laptop because everything configs for the laptop nvidia card with no effort on my part. But I don’t game on it, lol.
It is remarkably snappy though, fastest feeling OS that has ever been on this laptop.
BurgerBaronHaving backups set up for us automatically makes me sweat less when I deal with a pacnew file, and I absolutely fucked SDDM the first time I tried to use diff lmao.
Garuda Arch has been my favorite, but Endeavor did me right for a while.
Alaknár
texture
EponymousBoshI really loved Garuda but the rolling updates kept breaking my NVIDIA drivers :(
apftwb
obnomusI made this about you
(Me too lmao)
But I mean the actual meme is pretty old one(so isbthe meme I made)
RiQuY
ジンWith how it’s going, Will systemd also eventually be able to occasionally remind my Asian ass that I am a failure?
What?
spezmanjaro.org now is now for sale! Shit
mittorn
AnafabulaAt least the sixth time even. Four cases are documented here and another one was just three months ago. This last link points to reddit, but there a manjaro maintainer also explains why it keeps happening:
Politics within the project are the issue.
The fix for these issues have been build for about a year already. But those who have access to stuff like DNS and hosting are currently incapable of making any agreement on any topic preventing trivial fixes such as this from being implemented.
It kind of makes it hard to trust this distro when they fuck up the most basic things so often and frequently.
Not just with their web hosting. I’ve had so many updates break random crap it’s not even funny. Recently, a random update I did not approve suddenly had kwallet not working. A core piece of a DE they provide a bundled version for. I had to start kwalletd myself every time I wanted to use it.
It didn’t start that way on the fresh install. I didn’t do anything myself except reboot. Then suddenly my scripts that nab from the keystore are failing and asking me for passwords and what a mess.
That’s just a more recent example. I remember having quite a few random issues on update in the past, though the only other one I explicitly remember is the DE suddenly failing to start. Like, at all. Luckily I had a recent timeshift backup saved elsewhere, restored, and ignored the update notifications for a long while…