The NET::ERR CERT VALIDITY TOO LONG idiocracy

From evermeet.cx Wiki
Jump to navigation Jump to search

I'm not sure what they were thinking, but the NET::ERR_CERT_VALIDITY_TOO_LONG error, or better said the reason for it, is absolutely idiotic and won't make everything safer, but rather cause the exact opposite.

For publicly available services using Let's Encrypt (or other automated TLS certificate systems) makes sense. In many private home LANs (or even corporate networks) not so much. I know, one could use acme-dns to get proper certs, but in my case not all of my systems provide an interface (I'm not talking about a UI), which means I'd have to update them manually every time a new cert is issued. Which is every 2.5 months with Let's Encrypt.

NO. A big fucking NO. I will not manually update 50+ certs (VMs, containers, services) every 2.5 months. Even a 1 year rotation schedule is not feasible.

Why do I have so many certificates? I virtualize with Proxmox and also use Docker. If you use Vault, Saltstack, Ansible, or other tools, you will need certs for those too. And don't forget your router and switches. So first you need valid certs for the infrastructure. After that you need certificates for services (web servers, web applications, Kafka, LDAP, ...).

Using my own root CA is not unsafe at all. On the contrary. I can even create certs with a longer key length than cert providers, unless Let's Encrypt started to allow 8k keys. But let's not dwell on that, because a 4k key length is usually more than enough.

However, telling me that using my own root CA and certs which are longer valid than 1 year are unsafe is a lie. It is as simple as that.

Even after adding my root CA to the trust stores of the OS and/or the browser config and making sure that the chains are valid, browsers indicate that my properly configured TLS is not safe. It does not end here. Maybe in the future command line tools like curl or reqest libraries will throw the same idiotic errors.

So what do you think will happen, thanks to this BS? People will add allow_insecure_certs flaqs or stop using TLS at all. Both of which are not a solution, but will make the environments less safe. Well done.

Retrieved from "https://evermeet.cx/wiki/index.php?title=The_NET::ERR_CERT_VALIDITY_TOO_LONG_idiocracy&oldid=805"