undefined | Better HN

0 pointsat_a_remove6y ago0 comments

1) Not everything is running bare Apache. In fact, some services might have some rather strange web-driven GUI (or, more interestingly, curses-like) that requires you to carefully load a certificate, a CSR, and so forth in a somewhat arcane manner. Some pretty niche serving exists out there and I have had to deal with a bunch of them, to the point where I had to write extensive documentation on keeping the certificates up to date on each separate weird service. Many of these services have a "no user-servicable parts inside, your warranty will be voided ..." clauses in the service contract which deter spelunking.

2) Some services require wildcards, like proxies.

3) Some organizations have, due to someone far away making strange decisions, policies about certificate authorities, and people to audit for compliance. Therefore, a cert costs money and, for a site which is purely informational, that's a hard sell.

4) Because we're not running on a hosting provider, a VPS, containers, or cloud.

5) Because not everyone wants to deal with some combination of the above every three months due to Let's Encrypt's expiration policy.

0 comments

necovek6y ago

I generally run apache/nginx in front of most things for SSL termination — this allows you to simplify SSL setup significantly.

j / k navigate · click thread line to collapse

0 pointsat_a_remove6y ago0 comments

2) Some services require wildcards, like proxies.

4) Because we're not running on a hosting provider, a VPS, containers, or cloud.

5) Because not everyone wants to deal with some combination of the above every three months due to Let's Encrypt's expiration policy.