Good, certificates should be automated anyways. Much more reliable than the once yearly outages because nobody renewed the thing or forgot some systems.
Oh yes, let me just contact the manufacturer for this appliance and ask them to update it to support automated certificate renewa–
What’s that? “Device is end of life and will not receive further feature updates?” Okay, let me ask my boss if I can replace i–
What? “Equipment is working fine and there is no room in the budget for a replacement?” Okay, then let me see if I can find a workaround with existing equipme–
Huh? “Requested feature requires updating subscription to include advanced management capabilities?” Oh, fuck off…
Ugh. Righteous ideas about how things should work don’t change the fact that these network appliances doing it the wrong way still have years of time left before the bean counters consider them depreciated and let us replace them. Or that we’re locked into a multi-year contract with this business system that requires updating certs through a web UI.
Yes, there are almost always workarounds and ways to still automate it in the end, but then it’s a matter of effort vs stability vs time savings.
I love automating manual sysadmin actions, it’s my primary role on my team. Still, ignoring the complications that will unavoidably arise in trying automating this for every unique setup is incredibly foolish.
Technically, you shouldn’t even deploy certs to network appliances or servers but they should fetch certificates automatically from a vault. I know there’s minimal support for such things right now from some vendors, but that should be fixed by those vendors.
Even Microsoft supports such solutions in Azure both with PaaS components and Windows and Linux servers (in Azure or onprem) via extensions
cert-manager is an amazing tool for deploying certificates for containerized applications. There’s no standardized way to deploy those certs outside of containers without scripting it yourself though, unfortunately.
Good, certificates should be automated anyways. Much more reliable than the once yearly outages because nobody renewed the thing or forgot some systems.
The problem being when that can’t be easily automated? Did you read the article?
They should be automated too.
The fact that I can’t use terraform to automatically deploy certs to network appliances is a problem.
Oh yes, let me just contact the manufacturer for this appliance and ask them to update it to support automated certificate renewa–
What’s that? “Device is end of life and will not receive further feature updates?” Okay, let me ask my boss if I can replace i–
What? “Equipment is working fine and there is no room in the budget for a replacement?” Okay, then let me see if I can find a workaround with existing equipme–
Huh? “Requested feature requires updating subscription to include advanced management capabilities?” Oh, fuck off…
Ugh. Righteous ideas about how things should work don’t change the fact that these network appliances doing it the wrong way still have years of time left before the bean counters consider them depreciated and let us replace them. Or that we’re locked into a multi-year contract with this business system that requires updating certs through a web UI.
Yes, there are almost always workarounds and ways to still automate it in the end, but then it’s a matter of effort vs stability vs time savings.
I love automating manual sysadmin actions, it’s my primary role on my team. Still, ignoring the complications that will unavoidably arise in trying automating this for every unique setup is incredibly foolish.
Technically, you shouldn’t even deploy certs to network appliances or servers but they should fetch certificates automatically from a vault. I know there’s minimal support for such things right now from some vendors, but that should be fixed by those vendors.
Even Microsoft supports such solutions in Azure both with PaaS components and Windows and Linux servers (in Azure or onprem) via extensions
True.
cert-manager is an amazing tool for deploying certificates for containerized applications. There’s no standardized way to deploy those certs outside of containers without scripting it yourself though, unfortunately.
Good incentive for the provider to fix it or go out of business.