I think the default certificate expiration time (2 years) is a terrible idea. Its long enough that there's a good chance whoever registered the cert last time has left the team or the company. Its long enough that I've forgotten how to generate a certificate with openssl on the command line. And its long enough that each time, I (and everyone else) can justify not bothering to automate the process.<p>But 2 years is still short enough that if you have a couple domains, remembering to renew them is an ongoing hassle!<p>Letsencrypt certificates last 90 days, and they recommend renewing them every 60 days. This is a much better duration, because it encourages the entire ecosystem - developers and admins - to set up processes which automate renewal. And if the automated renewal process fails, letsencrypt starts emailing you about it to let you know your certificate is about to expire. (And you have enough time to fix it).<p><a href="https://letsencrypt.org/2015/11/09/why-90-days.html" rel="nofollow">https://letsencrypt.org/2015/11/09/why-90-days.html</a>
While I appreciate TLS, this thing with certificate expiration is one of the biggest sources of downtime IMO. Something should be done about it. May be throw error not permanently but in a some probabilistic way. Like if 1 year certificate expired, after 3 months 25% of connections would fail. It'll allow eventually to find out about problem but it'll allow for connections to somewhat work, with few retries here an there. Expired certificate is not compromised certificate and should not be treated like one. Often next certificate is issued with the same private key.<p>Especially with short-lived letsencrypt certificates. Despite all the evangelists assurances, certbot is not always easy to set up. After letsencrypt gained popularity, the percentage of small websites with expired certificates significantly increased IMO.
reminds me of that time the regular guy, might've been a student, re-registered hotmail.com just to get his email working again after Microsoft let it expire.<p>oh, looks like it was either hotmail.co.uk or passport.com<p><a href="https://slashdot.org/story/99/12/25/114201/microsoft-hotmailpassport-service-interruptedupdated" rel="nofollow">https://slashdot.org/story/99/12/25/114201/microsoft-hotmail...</a><p>from<p><a href="https://whoapi.com/blog/5-all-time-domain-expirations-in-internets-history/" rel="nofollow">https://whoapi.com/blog/5-all-time-domain-expirations-in-int...</a>
Looking at crt.sh (<a href="https://crt.sh/?q=cdn.winget.microsoft.com" rel="nofollow">https://crt.sh/?q=cdn.winget.microsoft.com</a>), it seems that the certificate is issued automatically anyways but for some reason the updated certificate is not applied correctly. A bad screwup really, but more of did someone forget to check their logs for deployment errors rather than the common case of someone forgetting to manually update the certificate.
We're working on renewing the certificate. It looks like this is the first report: <a href="https://github.com/microsoft/winget-cli/issues/2956">https://github.com/microsoft/winget-cli/issues/2956</a>
Why would anyone standardize on winget when there's chocolatey and it works everywhere you can run Windows software?<p>Recently I decided to install Windows Server on one of my PC instead of Windows 10/11. I thought, why not attempt to use winget and/or the Windows App Store to install basic software to see how far that takes me.<p>Immediate dead end. Apparently there's no access from the App Store on Windows Server. You have to have your IT set it up. And all the documentation refer to using winget from the App Store. :/ Microsoft, I can't even with you right now.<p>With Windows Server 2022, apparently you can get winget to work, but you have to install something else or other that's in preview.<p>For real, guys. Please get with the program.<p>Possible workarounds:
Anything that's a workaround is already a non-starter for me because I'm not trying to experiment to see what I can get to work. I'm trying to move to using a new norm so I don't get left behind. If Microsoft was pushing winget as the new norm for global silent command-line installations of all things Windows, as an alternative to Chocolately, great! I would have given it a try. Other than that, imma just wait until y'all get your act together, <i>someday-maybe</i>.
Microsoft's certificate management skills have gone down the drain anyway, so this doesn't surprise me. I have a long standing support case open with them about how they ship one of their more obscure tools signed with the wrong code signing certificate (one signed by their PKI for Azure INTERNAL usage, which should have everyone a tiny bit worried), and I've pretty much given up on trying to get the quite-obviously-on-an-H1B developer (which I mention only to explain that this PROBABLY leads to a perverse incentive to sweep things under the rug), or any of the Indian support agents involved to comprehend that this isn't just inconvenient when one has AppLocker in place, but also that it violates Microsoft's internal policies (which I know for a fact that it does), and MSRC ignored my email about it, too, so… par for the course. ¯\_(ツ)_/¯
ITT: Lots of people feigning ignorance about how companies work, or have literally never worked for a large company before.<p>And hilariously thinking Microsoft would spin up a critical incident team for a free open-source product. I'm rolling on the floor laughing.