←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 7 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source | bottom
Show context
ray_v ◴[16 Jan 25 21:11 UTC] No.42730957[source]
This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?
replies(3): >>42731183 #>>42731333 #>>42733764 #
1. arianvanp ◴[16 Jan 25 21:33 UTC] No.42731183[source]
A 7 day outage seems rather unlikely no?
replies(1): >>42731286 #
2. pilif ◴[16 Jan 25 21:42 UTC] No.42731286[source]
In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.
replies(1): >>42731483 #
3. zzyzxd ◴[16 Jan 25 22:02 UTC] No.42731483[source]
I am not saying 6 days is long enough, but if your automation always wait until the last minute to renew certs, you may have more issues to worry about than the CA's availability. If I am going to use a cert with 6 days lifetime I will be renewing it at least once a day.
replies(1): >>42731637 #
4. ncruces ◴[16 Jan 25 22:18 UTC] No.42731637{3}[source]
Yeah, that conflicts with their rate limits, which I hope they'll revise under this scheme.

https://letsencrypt.org/docs/rate-limits/

For the “exact same set of hostnames” (aka. renewals) the rate limit is 5 certificates every 7 days.

So you could do it every other day, if you can make sure there's only one client doing it.

And they're very clear this is a global limit: creating multiple accounts doesn't subvert it.

So you'll need to manage this centrally, if you have multiple hosts sharing a hostname.

replies(1): >>42733780 #
5. Cerium ◴[17 Jan 25 03:26 UTC] No.42733780{4}[source]
If you have multiple hosts the set should not be the same, no? From the linked page the comparison is a set comparison: one host at hosta.example.com and one host at hostb.example.com each with their own cert bot won't conflict.
replies(1): >>42742609 #
6. ncruces ◴[17 Jan 25 19:59 UTC] No.42742609{5}[source]
You never host the same website on two servers?
replies(1): >>42747522 #
7. pilif ◴[18 Jan 25 11:08 UTC] No.42747522{6}[source]
The servers could share the private key and certificate though