←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)

181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.274s | source

Show context

TekMol ◴[30 Jun 25 08:35 UTC] No.44420869[source]▶

>>44419496 (OP) #

Certificates are still a pain in the butt. One of the most cumbersome aspects of the web.

Especially domain wide certs which need DNS auth.

DNS auth would be okish if it was simply tied to a txt entry in the DNS and valid as long as the txt entry is there. Why does LetsEncrypt expire the cert while the acme DNS entry is still there? Which attack vector does this prevent?

Also, why not support file based auth in .well-known/acme-challenge/... for domain wide certs? Which attack vector does that prevent?

replies(6): >>44420913 #>>44421265 #>>44421337 #>>44421359 #>>44421487 #>>44429373 #

1. Mr_Minderbinder ◴[01 Jul 25 00:26 UTC] No.44429373[source]▶

> Certificates are still a pain in the butt. One of the most cumbersome aspects of the web.

They will likely always be a pain and many aspects of Web security are cumbersome. It is simply a reflection of the fact that the Web, like e-mail, was not designed to be secure in the first place, being used in organisations where you can rely on trust. As a result the security stuff is just bolted on and often only in response to the previous solution failing. The previous layers stick around like zombie flesh until they are unceremoniously deprecated and cut away a decade later. A new system designed from scratch would be less cumbersome.