←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0.233s | source
Show context
ray_v ◴[16 Jan 25 21:11 UTC] No.42730957[source]
This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?
replies(3): >>42731183 #>>42731333 #>>42733764 #
1. Arnavion ◴[17 Jan 25 03:23 UTC] No.42733764[source]
I agree. Anecdotally, the last time LE had an outage that prevented my cert from renewing, it took about ~4.5 days from when I reported the issue to them to when they started looking and provided a workaround. Since this was a 90-day cert it still had 30 days left on it, so I wasn't worried. If it had been a 6-day cert and only had 2 days left on it, I would've had to go to red alert and switch to another CA ASAP.

https://community.letsencrypt.org/t/post-to-new-order-url-fa...

If they do start providing 6-day certs I hope their turnaround on issue reports is faster than that (and ideally have something better for reporting issues than a community forum where you have to suffer clueless morons spamming your thread).