←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 3 comments | 30 Jun 25 04:49 UTC | HN request time: 0.608s | source
Show context
TekMol ◴[30 Jun 25 08:35 UTC] No.44420869[source]
Certificates are still a pain in the butt. One of the most cumbersome aspects of the web.

Especially domain wide certs which need DNS auth.

DNS auth would be okish if it was simply tied to a txt entry in the DNS and valid as long as the txt entry is there. Why does LetsEncrypt expire the cert while the acme DNS entry is still there? Which attack vector does this prevent?

Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?

replies(6): >>44420913 #>>44421265 #>>44421337 #>>44421359 #>>44421487 #>>44429373 #
1. matharmin ◴[30 Jun 25 08:43 UTC] No.44420913[source]
Certificates have a static expiry date by design - it's not "LetsEncrypt expiring the cert". There is no way to avoid expiring a cert if the DNS entry is still there - all you can do is make it easier to renew the cert. That means it must be automated, in which case it doesn't matter if you need to re-create a DNS entry.

In my experience, it takes a little effort to set things up the first time, but from then on it just works.

replies(1): >>44421008 #
2. rjst01 ◴[30 Jun 25 08:56 UTC] No.44421008[source]
I think the parent commenter would be satisfied if they could authorize their DNS by creating a DNS challenge entry one time, and then continue to renew their certificate as long as that entry still existed.

And I'm sympathetic to the concerns that automating this type of thing is hard - many of the simpler DNS tools - which otherwise more than cover the needs for 90% of users - do not support API control or have other compromises with doing so.

That said, I do think LE's requirements here are reasonable given how dangerous wildcard certs can be.

replies(1): >>44421416 #
3. jeroenhd ◴[30 Jun 25 10:03 UTC] No.44421416[source]
> many of the simpler DNS tools -...- do not support API control

That's on the DNS provider in my opinion. They can, if they want to, make things easy and automatic for their customers, but they choose not to. There's a whole list of provider-specific plugins (https://eff-certbot.readthedocs.io/en/stable/using.html#dns-...) with many more unofficial ones available (https://pypi.org/search/?q=certbot-dns-*). Generic ones, like the DirectAdmin one, will work for many web hosts that don't have their own APIs.

If you like to stick with whatever domain provider you picked and still want to use Let's Encrypt DNS validation, you can create a CNAME to another domain on a domain provider that does have API control. For instance, you could grab one of those free webhosting domains (rjst01.weirdfreewebhostthatputsadsinyourhtml.biz) with DirectAdmin access, create a TXT record there, and CNAME the real domain to that free web host. Janky, but it'll let you keep using the bespoke, API-less registrar.

I imagine you could set up a small DNS service offering this kind of DNS access for a modest fee ($1 per year?) just to host API-controllable CNAME DNS validation records. Then again, most of the time the people picking weird, browser-only domain registrars do so because it allows them to save a buck, so unless it's free the service will probably not see much use.