
Let's Encrypt: Active Incident, DNS errors causing service disruption - antouank
https://letsencrypt.status.io/
======
giancarlostoro
I figure there should exist alternatives to LE, otherwise they're a pretty big
target. If anything too harmful happened to LE what would it's users do? I
don't know enough about it, but right now they're going to be the only player
in the free SSL certs market which puts them in a scary enough location.

~~~
ultramancool
StartSSL and CAcert have existed long before Let's Encrypt was even started.

~~~
pmlnr
StartSSL is a b* to use, the free tier. I can't renew a cert before it
expires.

~~~
breser
That's not exactly true. You can renew it before it expires. You just can't
renew it until it is nearly expired. I think it's like a 2 week window or
something like that.

The bigger complaint about StartSSL should be that if you need to revoke the
certificate you have to pay for it.

For a free service though I don't think their requirements are too terrible.

~~~
geofft
That wouldn't be such a problem given that most SSL stacks (correctly, IMO)
ignore revocation checking... except that you can't get a new cert without
revoking the old one. It would otherwise be reasonable to determine you don't
care about getting it revoked (and therefore don't want to fund the revocation
infrastructure, like a highly-available OCSP responder) but you just want a
new cert.

------
jldugger
By my estimation, Lets Encrypt has at least 16 million dollars in annual
sponsorship.[1][2] That's quite a bit of money, but I wonder how much of it
goes to operations, versus other overhead of various kinds (legal, marketing,
administrative).

Many of our clients are excited about LE, and as we figure out how to support
it without disrupting our infrastructure too much, it's concerning to imagine
that there's substantial daily risk that 4-5 certs will fail to renew.

I suppose since it's free and automated, you just renew a month earlier than
required.

[1] [https://letsencrypt.org/sponsors/](https://letsencrypt.org/sponsors/) [2]
[https://letsencrypt.org/become-a-sponsor/](https://letsencrypt.org/become-a-
sponsor/)

~~~
JonathonW
That's their idea-- the reference client (by default) will renew any
certificates expiring within 30 days, and they recommend you script it to run
at least daily. That gives it many opportunities to retry in case of network
problems or server outages (on your end or on theirs).

------
aparadja
Isn't the "DNS errors causing service disruption" an old incident from April
6th?

There is something strange going on at the moment, though, but not sure it has
to do with DNS. I actually tried set up my first cert about 10 hours ago with
Let's Encrypt, and got a variety of ungraceful errors with the same
configuration. Only one was related to DNS. Most were code 500 from the api
servers.

~~~
viraptor
Their status page is broken. You can see the actual issue on the history page
instead, or specifically
[https://letsencrypt.status.io/pages/incident/55957a99e800baa...](https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/570fe5aafe92599160001098)

    
    
        April 14, 2016 12:47PM MDT
        April 14, 2016 6:47PM UTC
        [Investigating] We have noticed an increased number of errors. We are investigating now.
    
        April 14, 2016 1:21PM MDT
        April 14, 2016 7:21PM UTC
        [Resolved] Systems have fully recovered and all services appear to be operating nominally. Cause seems to have been a transient hardware failure and further investigation is under way.
    

Or at least the most recent issue... they both marked it as resolved and
"further investigation is under way". Should be "investigating/monitoring"
instead?

------
iamgopal
I have wondered many times, so let me just ask it, Why not platform providers
like Microsoft, Google or Apple are also secure certificate providers ? Is not
will it be immensely easier for both party ?

~~~
ikeboy
Amazon does, for one.

------
nereid666
Is causing a problem to the pages protected by certificate due to OCSP error?
Or the impact is only afecting issue and renewals?

------
mholt
I believe this issue was originally reported via Twitter, here:
[https://twitter.com/_rsc/status/717777241296543744](https://twitter.com/_rsc/status/717777241296543744)
\-- and that for the most part things are working, but there are just
occasional errors.

------
esterly
We created certs with Let's Encrypt today, worked like a champ.

------
mehrzad
When will GitHub Pages support this?

