Six day and IP address certificate options in 2025

(letsencrypt.org)

197 points SGran | 5 comments | 16 Jan 25 15:36 UTC | HN request time: 0.43s | source

Show context

rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]▶

Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

replies(3): >>42730254 #>>42730324 #>>42735256 #

ryandrake ◴[16 Jan 25 20:10 UTC] No.42730254[source]▶

>>42729799 #

To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.

replies(16): >>42730288 #>>42730534 #>>42730907 #>>42731093 #>>42731446 #>>42731761 #>>42731830 #>>42731926 #>>42731977 #>>42732175 #>>42732403 #>>42732552 #>>42733057 #>>42733861 #>>42734330 #>>42735479 #

1. xorcist ◴[16 Jan 25 23:43 UTC] No.42732403[source]▶

>>42730254 #

I don't know what your issues are, but perhaps the know-it-all people who comments on this with a variation of "you're doing it wrong" or a problem of "not enough automation" could cool down a bit and realize the web PKI is hacks build from hacks and there are many reasons why the public ACME system may not be entirely robust for every application.

On the top of my head, that could be because one or more domains are not accessible from the public Internet (which could be for a variety of reasons), a subset of the subject domains having expired for legitimate reasons but you might not know which in advance (certificates being what they are some application rely on them having alternative names), intermittently flaky routing (which might not be a problem for the application), and a number of other reasons. That's without including potentially hostile actors. Then there are plenty of offline uses for certificates!

That said, Let's Encrypt has really been a revolution and made life better for many people. But it's not perfect and the PKI system itself has many warts. It's absolutely a system that may need a non negligible amount of babysitting when you venture outside the absolute mainstream.

replies(1): >>42732499 #

2. tptacek ◴[16 Jan 25 23:56 UTC] No.42732499[source]▶

>>42732403 (TP) #

If you're using LetsEncrypt without automation you're doing it wrong, and the reason that the WebPKI is so hacky is that it was insulated from basic computer science for 2 decades and run by enterprise software companies.

You have to automate certificates. You can't do these by hand anymore. Certificate lifetimes are going to get inexorably shorter.

replies(2): >>42732950 #>>42739087 #

3. xorcist ◴[17 Jan 25 01:08 UTC] No.42732950[source]▶

>>42732499 #

Not really. PKI has always been that way since before the web. Mainly because the use cases are so varied and it there is the tendency to support every possibility under the sun.

For the longest time the web PKI lacked a singular view on what exactly they were supposed to be signing. Its usage reflects that.

That is deeply rooted in culture. I mean, we do speak about a culture in which X.509 was a reasonable choice. Years after the X.500 universe was cold to the touch at that.

The rest of your comment seems directed at someone else. Framing this on automation is misleading, which is what the examples in my comment were intended to show.

4. ryandrake ◴[17 Jan 25 15:56 UTC] No.42739087[source]▶

>>42732499 #

Wow, I came back to this thread and it unexpectedly blew up. Looks like my experience is not normal and L.E. is not flaky for anyone else on HN. Who knew my simple 6 line shell script has been buggy for a decade.

I guess if you zoom out, one of the things I bristle with is LetsEncrypt's opinionated way of changing people's behavior. The short certificates were a deliberate decision, done to "get users to do X." They were pretty transparent about it. In my view, computers should do what users want them to do, not what developers want users to do. We've got enough software out there with notifications and consent dialogs begging users to do this and that, and this just adds to the problem.

I get that the software is free (which was a revolution in the PKI world at the time), but the short lifespan seems to be either a behavior modification experiment OR an annoyance to get people to fork over money for the better (better for users, not necessarily for security), longer-lived products.

replies(1): >>42740379 #

5. tptacek ◴[17 Jan 25 17:04 UTC] No.42740379{3}[source]▶

>>42739087 #

The short certificates aren't just a random opinion LetsEncrypt had that they decided to inflict on everybody; it's a recognition of the fact that revocation doesn't work, and so it's important to reduce the blast radius of a compromised certificate. There's now a broad consensus on this in the field. I understand your frustration, but you're going to have to get used to this one.

It is, pretty obviously, not a weird scheme to get you to pay for certificates at some other CA.

↑