Six day and IP address certificate options in 2025

(letsencrypt.org)

197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source

Show context

rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]▶

Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

replies(3): >>42730254 #>>42730324 #>>42735256 #

ryandrake ◴[16 Jan 25 20:10 UTC] No.42730254[source]▶

>>42729799 #

To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.

replies(16): >>42730288 #>>42730534 #>>42730907 #>>42731093 #>>42731446 #>>42731761 #>>42731830 #>>42731926 #>>42731977 #>>42732175 #>>42732403 #>>42732552 #>>42733057 #>>42733861 #>>42734330 #>>42735479 #

1. Dries007 ◴[16 Jan 25 20:35 UTC] No.42730534[source]▶

>>42730254 #

For me it's only ever an issue if I stop renewing a domain, which triggers issues somewhere next renewal and now nginx doesn't reload.

Other than that, I've never had to babysit certbot. It's just a systemd timer job.

replies(1): >>42730916 #

2. ◴[16 Jan 25 21:07 UTC] No.42730916[source]▶

>>42730534 (TP) #

↑