anyone else hate dealing with certificate renewals on old systems
Posted by Sroni4967@reddit | sysadmin | View on Reddit | 21 comments
got stuck updating certs on some ancient centos boxes today and the ssl libraries are so outdated nothing works properly
Mike22april@reddit
Ancient CentOS wont support TLS 1.2+ Thats a problem anyhow
desmond_koh@reddit
anyone else hate dealing with certificate renewals?
There, fixed it for you :)
LetMeAskPls@reddit
100%
SenTedStevens@reddit
No. I just love having to get a new PFX cert from a CA, needing to convert to PEM/CER/DER/whatever, then use openssl or Keystore Explorer to add the certificates into a keystore. Hopefully, I added the certs in the right order, bounce the service, and cross my fingers that I did it right and the service doesn't spaz out.
And no, these legacy systems can't simply be automated with ACME.
420GB@reddit
All of these steps are trivial to automate with an ansible playbook. You can also do ACME on a different machine and then move the certs over or mount them via NFS.
Ciconiae@reddit
The Java keystore is a pain, especially on Windows. Like, no I do not have OpenSSL installed and/or whatever Java version required on my servers just for this bloated Java web app to work slowly.
420GB@reddit
No because we don't run old systems and we proxy almost everything anyways
certkit@reddit
Certbot and ACME tooling doesn't work great on old devices. Its' a big risk for the coming reduction in lifetimes and it's going to cause a lot of outages.
Reverse Proxies, like many have suggested, is a great option -- put something new infront of it and just leave a self-signed cert on the hidden old box.
If you don't want to run another thing, or really need a trusted cert on that box, you can try a centralized Certificate Management approach that renews the certificates in one place and pushes them into your old systems. You can build this yourself with CertBot and some scripting magic, or you can buy a tool that does this for you.
Obvious, I am such a tool. Yes, I know what I said.
Darkk_Knight@reddit
If they are web servers I'd use reverse proxy with ACME on it just to save the hassle. This way you wouldn't have to deal with the mess on those old servers.
Fatel28@reddit
This is the way
BarracudaDefiant4702@reddit
Not seeing how that will help as ACME uses the system ssl libraries, and if they are too old it's not going to work.
Fatel28@reddit
Right. You have your reverse proxy on a dedicated server and it handles the ssl for the legacy system(s)
NiiWiiCamo@reddit
Tbf, if you want to put a legacy system behind a reverse proxy, running that reverse proxy on the legacy system doesn't seem like the smart choice.
msalerno1965@reddit
This thread is like "they went thatta way!".
I don't think any of these people ever dealt with Oracle wallets.
ntrlsur@reddit
I hate Oracle Wallets. Different versions with different encryption schemes. makes my skin crawl..
Specialist_Cow6468@reddit
It’s better to put it on another box of course but you can also get a lot of mileage out of containers here
anxiousvater@reddit
If they are running these ancient boxes, containers would be almost non-existent. Again, this is my hunch.
ArgonWilde@reddit
I'd hate to think what an old server with outdated SSL libraries is doing being a publicly accessible web server 🫣
DarkAlman@reddit
Yes
michaelpaoli@reddit
Automate the sh*t out of it, at least to the extent feasible and that it reasonably makes sense.
E.g. less than a few hours ago, I got 13 new certs (to replace soon expiring certs), covering 84 domains, 41 of those being wildcards - issued one command, obtained all the new certs in less than 14 minutes.
https://www.mpaoli.net/\~mycert/
BarracudaDefiant4702@reddit
Put a reverse proxy on a different machine in front of them and and have the old boxes use self signed certs (or clear text) to the proxy server. If they are that old you don't want them directly accessed anyways...