Yes certs expire (expiration is configurable). Large deployments will run an online CA that has some external means of verifying the identity of a host.
Rotation is straight forward. Add the new cert and reload the process (no restart required). Large deployments automate this process (which is easy with an online CA).
5 comments
[ 5.1 ms ] story [ 27.0 ms ] threadhttps://barim.us/post/2022-07-13-experimenter-nebula-mesh-pa...
Submitted 30 days ago: https://news.ycombinator.com/item?id=33123953 (sadly, no discussion)
This is a nice write-up covering getting going with Nebula in real life!
There was a mega discussion of Slack's Nebula 3 years ago after it was initially open sourced:
https://news.ycombinator.com/item?id=21575614 (213 points, 66 comments)
WireGuard was discussed in the context of Nebula:
https://news.ycombinator.com/item?id=21577344
My takeaway then and now remains the same; I'm not clear on which circumstances Nebula would be preferable to WireGuard.
All the SSL certificate management with Nebula seems like a potential operational pain in the neck.
I don't know for WireGuard but generating the certificate for a new host to join the mesh in Nebula is one command
Rotation is straight forward. Add the new cert and reload the process (no restart required). Large deployments automate this process (which is easy with an online CA).