←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source
Show context
rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]
Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.
replies(3): >>42730254 #>>42730324 #>>42735256 #
ryandrake ◴[16 Jan 25 20:10 UTC] No.42730254[source]
To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.
replies(16): >>42730288 #>>42730534 #>>42730907 #>>42731093 #>>42731446 #>>42731761 #>>42731830 #>>42731926 #>>42731977 #>>42732175 #>>42732403 #>>42732552 #>>42733057 #>>42733861 #>>42734330 #>>42735479 #
supriyo-biswas ◴[17 Jan 25 05:15 UTC] No.42734330[source]
You could also terminate TLS or implement HTTPS with Caddy, which will auto-renew your certs for you.
replies(1): >>42735272 #
1. KronisLV ◴[17 Jan 25 08:29 UTC] No.42735272{3}[source]
Curiously, even Apache2 has functionality in the form of mod_md: https://httpd.apache.org/docs/2.4/mod/mod_md.html

Not as advanced as in Caddy (which will be a more pleasant option to use in many cases), but it's curious to see them adding something like that! Makes me wonder whether we'll also get some Nginx functionality like that out of the box sometime so certbot won't have to always be installed alongside it for sites that need to use ACME.