←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0.429s | source
Show context
rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]
Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.
replies(3): >>42730254 #>>42730324 #>>42735256 #
ryandrake ◴[16 Jan 25 20:10 UTC] No.42730254[source]
To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.
replies(16): >>42730288 #>>42730534 #>>42730907 #>>42731093 #>>42731446 #>>42731761 #>>42731830 #>>42731926 #>>42731977 #>>42732175 #>>42732403 #>>42732552 #>>42733057 #>>42733861 #>>42734330 #>>42735479 #
jeroenhd ◴[16 Jan 25 21:06 UTC] No.42730907[source]
Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).

I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.

You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.

I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.

replies(3): >>42735693 #>>42737531 #>>42742639 #
raxxor ◴[17 Jan 25 13:56 UTC] No.42737531[source]
I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.

Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.

I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.

replies(2): >>42740030 #>>42741624 #
1. patrakov ◴[17 Jan 25 18:26 UTC] No.42741624[source]
It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.
replies(1): >>42743580 #
2. atomicnumber3 ◴[17 Jan 25 21:44 UTC] No.42743580[source]
Are you... not monitoring those things otherwise?