I know plenty account SNI already, but thanks. You might want to study more yourself, since we’re being condescending.

https://blog.cloudflare.com/encrypted-sni/

So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)

I’ll trust Cloudflare over Comcast/AT&T/etc. any day of the week.

Hyper-V is decent. It’s VMM that is atrocious. Hopefully you don’t have Citrix with MCS catalogs.

Yeah, but that security patch level.

I believe you. I’m just saying their non-firewalls (i.e., switches and APs) don’t have that limitation.

My firewall is a Fortigate 60F.

I would never use their firewalls/gateways, but their switches are pretty good for the price and their APs are decent (although tbh after 3 generations my next AP will likely be an enterprise Aruba).

That said, I still use Unifi in docker, everything is up to date, and nothing is requiring a sign-in to the cloud. Am I missing something? If it’s just the firewalls, then I’m not surprised since I’ve never been remotely tempted to use them, but it sure isn’t all of their devices.

Do you even know what an electrolyte is?!

In Chromium browsers you can simply type “thisisunsafe” to bypass even HSTS failures.

They mean CAA records:

https://developers.cloudflare.com/ssl/edge-certificates/caa-records/

And conversely, when we lose weight the vast majority is exhaled as CO2, not excreted as liquid or solid waste.

You need to demand a raise. And keep working from home.

Right, because international hackers are going to mobilize boots on the ground across the world to steal your fucking Optiplex.

In that case, if CF is taking to Traefik and not the actual origin server, you just need to forget about the origin certs altogether and use LE certs in Traefik.

If you, Traefik, and your origin server are on the same network, then it’s going to be one hop regardless of whether you’re hitting the Traefik proxy or the origin server. If Traefik is serving up the origin server’s cert and not the LE cert, then Traefik is misconfigured to pass through instead of proxy, but I’m still not sure that’s the case as it’s almost harder to configure it that way than the correct way as a proxy.

What IP:port is your origin server listening on, what IP:port is Traefik listening on, and how is Traefik configured to reach the origin server?

You said Traefik is getting certs from Cloudflare, but do you mean it’s getting Let’s Encrypt certs using a CF DNS challenge? And if that is the case, then your browser should trust the Traefik endpoint since LE certs are publicly trusted.

Are you sure you’re hitting Traefik when you get a cert warning? You need to update your internal DNS if not.

https://www.scribd.com/doc/228831637/Optimal-Tip-to-Tip-Efficiency

Yep totally. The documentation is downright wrong so much more today than it used to be. It’s all written like they pawned it off on a junior engineer, who then threw shit at the wall until they got it working, then that process becomes the official documentation.

And don’t get me started on Copilot hallucinating Powershell cmdlets.

With support it’s become kind of a game to see how quick you can get to T2. My tactic is to passive aggressively point out how their first response shows a complete lack of understanding of the topic, then directly request escalation.

The reality is they probably don’t know the full scope or root cause and are going off of limited reporting coming from their beta channels.

But they likely determined the impact was low enough that they could still ship the update while they investigate further.

There are similar known issues reported in the update KBs all the time that sound much worse to me as an admin but are as equally low impact in the end. But they’re not as easy for the layperson to latch onto like these low-effort “VPN no worky” articles.

Regardless, none of this absolves IT of the responsibility of testing patches.