←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0.4s | source
Show context
ray_v ◴[16 Jan 25 21:11 UTC] No.42730957[source]
This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?
replies(3): >>42731183 #>>42731333 #>>42733764 #
mholt ◴[16 Jan 25 21:46 UTC] No.42731333[source]
Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

replies(3): >>42731371 #>>42732112 #>>42736631 #
deathanatos ◴[16 Jan 25 21:50 UTC] No.42731371[source]
> That, and extended week-long outages are extremely unlikely.

You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

replies(1): >>42731975 #
1. mholt ◴[16 Jan 25 22:56 UTC] No.42731975[source]
True, but it doesn't matter since competent clients should be falling back to other CAs anyway.
replies(1): >>42732134 #
2. bmicraft ◴[16 Jan 25 23:12 UTC] No.42732134[source]
Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.