I’m using Let’s Encrypt as Certificate Authority on this and many other sites. I like it, as it allows me to automate certificate creation and renewals, however I also have some monitoring making sure everything works as expected. I recently got a few alerts as some certificates weren’t renewed as expected. I figured nothing had changed on the server setup and there was renewal happening for a few days, I started looking into it and found the issue why the renewal was failing, so here’s the story.
As the web moves more and more to HTTPS and ehanced security (such as HSTS) keeping your certificates updated and valid becomes more and more important. I’m toying with an idea of building a small webapp to monitor my small portfolio of certificates and warn me if a certificate is due to expire. As part of this, I’m slowly patching pieces together in Go and one of the small useful outcomes is a small (compilable to bin) script which prints the basic certificate details of a given domain.
I’ve been having an odd issue for a couple of months. When accessing sites having a .dev domain (like most recently go.dev), I my browsers have given me warnings and as many had HSTS-headers, not allowed me to visit the site. It seemed like a strange error, and I’ve tried to remember if I’ve set up some proxy or VPN connection, that could cause this issue. A few times I’ve asked others on the net if they had issues - which was not the case - and I’ve tried using a web proxy, and everything worked.
I’ve switched nameservers for all my domains yesterday. During the past many years I’ve been free-riding on GratisDNS and enjoying their free DNS service (and luckily never needed support in their forums). Yesterday I switched to Cloudflare and I’m using them for DNS for this (and other domains). I don’t have any particular requirements, and the switch was mostly easy and automated to the extent possible. Two domains went smooth, but the last my mahler.
Get your company implementing DMARC now… During the past 5-6 years email industry efforts have been pushing the DMARC standard along. It provides the best widely supported and seemingly efficient way to - as a domain-owner - protect the domain from misuse and abuse in terms of spam and phishing attacks. As sending email has often been a wild-west, and knowing who is a valid sender of email may prove a challenge for many companies - and as most IT developers does seem to care too much about the finer details of email (and production just as bad email headers as HTML markup :-) ), implementing DMARC protection on your domain may actually be a challenge.