←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0s | source
Show context
TekMol ◴[30 Jun 25 08:35 UTC] No.44420869[source]
Certificates are still a pain in the butt. One of the most cumbersome aspects of the web.

Especially domain wide certs which need DNS auth.

DNS auth would be okish if it was simply tied to a txt entry in the DNS and valid as long as the txt entry is there. Why does LetsEncrypt expire the cert while the acme DNS entry is still there? Which attack vector does this prevent?

Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?

replies(6): >>44420913 #>>44421265 #>>44421337 #>>44421359 #>>44421487 #>>44429373 #
jeroenhd ◴[30 Jun 25 09:37 UTC] No.44421265[source]
> Why does LetsEncrypt expire the cert while the acme DNS entry is still there?

That's like saying "why does the government expire my passport/driver's license when I haven't changed my name". That's not how it works; the document is stamped valid for a specific amount of time, and you get a new document with a new expiration time when you renew it.

The certificate from LE will expire automatically 90 days after it was provided, that's why you need to renew it before the 90 days are up.

If you hate setting up automated certificate renewal, you can still get longer-lasting certificates from paid certificate providers. It used to be that you needed to pay a company to generate a certificate for you every year, now you just get the option to have a free one every 90 days.

> Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs

An ACME challenge file on a web server proves that you control a specific server at a specific domain, so you get a certificate for a specific domain.

A DNS entry proves you control the entire domain, so you (can) get a certificate for the domain.

By uploading a file to tekmol.freewebhost.com, you haven't proven that you control either .freewebhost.com or .tekmol.freewebhost.com. You have just proven that you control tekmol.freewebhost.com.

replies(6): >>44421354 #>>44421633 #>>44421671 #>>44421834 #>>44421863 #>>44422141 #
hn_throw2025 ◴[30 Jun 25 09:54 UTC] No.44421354[source]
> If you hate setting up automated certificate renewal, you can still get longer-lasting certificates from paid certificate providers. It used to be that you needed to pay a company to generate a certificate for you every year, now you just get the option to have a free one every 90 days.

I took the easier route and let Cloudflare generate and handle certs for my domains. I’m on the free tier. I secure traffic between them and my host with an origin cert. By default those are valid for 15 years.

I know CF is frequently criticised around here, but wanted to mention it as an option.

replies(1): >>44421434 #
jeroenhd ◴[30 Jun 25 10:06 UTC] No.44421434{3}[source]
That works too, of course. You don't even need a specific certificate or even an open port by leveraging Cloudflare tunnels, which means you can host your website on a local server behind three layers of NAT if you had to.

And it's not just Cloudflare; there are plenty of other redirect-everything-through-a-CDN hosts available. If you don't mind giving Cloudflare control of your website (and barring visitors from countries like India where CGNAT makes everyone fill out CAPTCHAs every page load), this approach will take care of just about everything.

replies(1): >>44421630 #
1. hn_throw2025 ◴[30 Jun 25 10:42 UTC] No.44421630{4}[source]
Agreed. It’s about priorities and tradeoffs.

I’ve been impressed with how much I get on the free tier (my sites are small). With the DDoS protections, rate limit, WAF rules, and Turnstile, it feels like I can keep a significant amount of abusive traffic from reaching my host. It’s a pretty compelling tradeoff for me, anyway.