Questionable Vendor
Posted by Full-Entertainer-606@reddit | sysadmin | View on Reddit | 5 comments
At my work, a department manage sent in a request to set up a subdomain with DNS and SSL for use by an outside hosting vendor. We set up the DNS entry. I then contacted their support and asked if they could use Let’s Encrypt rather than me issuing a cert. This is where things get interesting.
Recreation of email conversation:
Me: The DNS entry is ready. I understand you need a SSL certificate. Can you use Let’s Encrypt?
Vendor: Sure. Please send us the cert and key.
Me: I must be misunderstanding something. If I generate a key and cert, I will have to do this every 90 days. This seems to mitigate one of the principle values of using Let’s Encrypt.
Vendor: Most customer just send us a certificate every year. We will have to get back to you.
It’s been a week now and I’ve heard nothing. This seems like a giant red flag to me. Or am I really missing something.
Best-Conclusion5554@reddit
What's the manager doing agreeing something like this with an external party without IT putting it through proper due diligence/change management first?
DeifniteProfessional@reddit
Unfortunately the majority of companies are wilfully incompetent. Change management? Good luck finding a company under 2,000 employees that has anything that can help them manage that, much less staff members with half a care
Metmendoza@reddit
Yeah we've sent emails to all of our vendors about automating certs. About 5-10% understood what we were talking about and only half of those had a plan in place.
GremlinNZ@reddit
I certainly wouldn't want to be starting a deployment with this kind of crap. Legacy systems, sure, but nowadays, knowing short lifetimes are coming? Deal breaker.
disposeable1200@reddit
Yeah they don't get it
Not questionable - half the vendors are incompetent these days
Ask them about the shortening certificate lifespans if you want a laugh