←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source
Show context
rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]
Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.
replies(3): >>42730254 #>>42730324 #>>42735256 #
ryandrake ◴[16 Jan 25 20:10 UTC] No.42730254[source]
To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.
replies(16): >>42730288 #>>42730534 #>>42730907 #>>42731093 #>>42731446 #>>42731761 #>>42731830 #>>42731926 #>>42731977 #>>42732175 #>>42732403 #>>42732552 #>>42733057 #>>42733861 #>>42734330 #>>42735479 #
lowsong ◴[16 Jan 25 23:17 UTC] No.42732175[source]
I'm used to certs in Kubernetes, so even 6 days is long-lived. 20 minutes is more like it.
replies(1): >>42732207 #
1. Aachen ◴[16 Jan 25 23:20 UTC] No.42732207{3}[source]
Doesn't that run into their rate limits if you generate a certificate every few minutes all the time? Or at least might be a burden, even if it didn't hit an absolute limit. (I'm assuming you're not the only person in the world doing this, so I mostly mean the collective effect this sort of usage pattern has)
replies(1): >>42732243 #
2. lowsong ◴[16 Jan 25 23:25 UTC] No.42732243[source]
Sorry, I should have clarified. You can't do certificates that fast on Let's Encrypt no. I meant running a custom CA inside/alongside Kubernetes, and using that to issue 20-minute validity certs to pods.