Hacker News new | past | comments | ask | show | jobs | submit login

I'll happily pay money to get a cert that expires in 3 years instead of 90 days. Some of us don't feel like faffing about with cert renewal every quarter. (I know there are tools and clients that can "make it seamless" - until the ACME endpoints are down or something).

Really long expiration certs are a security issue. The main reason being that if the cert is compromised, there is a much longer window that it can be exploited. With a 90 day window, even if it is compromised, it will stop working soon.

Even in the case that it is compromised and you know it, your only option is certificate revocation. And you are in big trouble if you are relying on revocation because most clients do not keep very up to date with the CRL.

Not only for security, but the 90 days is to encourage automation. And most clients like certbot will check everyday, and if the cert is within 30 days of renewal, it attempts to renew. If letsencrypt is down, it will try again the next day. So you have an entire month before an outage would affect you.

>I'll happily pay money to get a cert that expires in 3 years instead of 90 days.

No way. Every time I've worked with an organization with three years expiry it's guaranteed they have no idea, after three years how to even renew the cert. They are effectively longer in many cases than the hiring cycle and for larger organizations can be a complete nightmare. No one wants to invest in time in automation, training, tracking, etc., because it's so far down the road. The 90 day model makes much more sense because it requires automation. In terms of the ACME endpoints being down, I'm not going to say that won't happen but renewal starts 30 days before the cert expires and if Let's Encrypt's ACME endpoints are down for 30 days or longer there's a good chance we are all dealing with something far more dire than cert renewal at that point.

I've been running a modified copy of the dehydrated client (https://github.com/lukas2511/dehydrated) for, I dunno, a long time now. Since not long after letsencrypt became available.

I have my own domain name servers, so it wasn't hard to wire up DNS-01 support.

Anyway, the client has been running daily out of a cron job, updating certs on remote servers as they need to be, with very little intervention from me, for well over a year now. It's just about a set-it-and-forget-it setup.

Let's Encrypt is intended to be fully automated and you shouldn't have to faff about with it every quarter, it should do its thing all by itself.

...most of the time.

If you are following the recommended practices, it's every 2 months, and ACME would have to be down for a solid month. I think that's fairly unlikely

Well then you are two weeks late. The maximum lifetime for a certificate is now 825 days, most commercial CAs are selling only 1 or 2 year certificates, with the extra days used to allow early renewals to "carry over" a few weeks.

I'm in the same boat. I haven't found a guide for an easy and flawless way to automate cert renewal with letsencrypt when you use multiple services over different servers. For my wildcard, I use the same cert for:

1. Ubuntu VPS #1: a. dovecot ssl b. postfix ssl c. apache multiple virtual domains ssl d. pureftpd ssl

2. Ubuntu VPS #2: a. apache multiple virtual domains ssl

3. Microsoft Server a. IIS multiple virtual domains ssl

Why does it have to be the same cert on every host? Use a separate cert for each and automation will be much easier.

With Let's Encrypt, you don't need to minimize the number of certs just to save some money.

I'm just saying how I'm running things now. Totally open to better ways. Right now I pay $135 for a two year wildcard cert (very small business here). It takes 1 hour of my time to update the cert for all these applications. 1 hour of time and $135 every two years is not a lot. When I do a cursory look of how to reliably automate letsencrypt across all applications, there are people who have created scripts that help, but it does not give me reassurance that everything will run smoothly every 90 days. I am waiting for letsencrypt to get first-class support in dovecot, postfix, pureftpd, and IIS, so it can be set and forget, and I know long term support will be there.

Well you can happily use other CAs if you want to 1. Pay money and 2. manage certs manually. As you did/do it always.

"Why we need to do more to reduce certificate lifetimes”: https://news.ycombinator.com/item?id=16582714

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact