Hacker News new | past | comments | ask | show | jobs | submit login

We rotate them manually once every two years. It works. No need for a certbot. Simpler infrastructure

Sure about the broken, but the alternatives are worse with possible leaked private keys.




How is that simpler? That seems like it doesn't scale and incredibly error prone.

If you only have one certificate you may get away with it. But if once you have hundreds or thousands this is absolutely going to break down the human factor.

And even if you do have a single (or few) certificate(s), there are other factors that are going to complicate maintaining this system:

  * What if a certificate needs to be revoked by your CA? Generally CAs are obligated to revoke certificates within tight deadlines (ex. 24hr for key compromise). That doesn't give a human a lot of time to replace the certificate.
  * What's going to happen when 2-year certs are no long available? Ballot SC-22 failed, but it would've reduced certificate lifetimes to 1 year. Some CAs are moving in this direction anyway, and it's worth noting that Sectigo supported this ballot.
  * What happens when the person responsible for renewing them leaves the company and forgets to hand-off the responsibility?
I almost see the infrequency of certificate rotation as a negative since it means the process is infrequently tested and easy to forget about.

Sure tools like cerbot can break, but if you know that it's renewing certificates 30 days out then setup alerting for whenever a certificate expires in less than 30 days. You should have this alerting anyway in case the human responsible for manual rotation forgets.

If you ended up in a state where you were serving an expired certificate then the key issue is your alerting.


And what timing! Just today it was announced certs trusted by Safari issued after Sep. 1st must have a lifetime of 1 year [1]

[1] https://twitter.com/chosensecurity/status/123025334823601357...


Absolutely not disputing what you say.

However 99% of people have no more than a handful - especially if you have wildcard certificates. And the incidental complexity of running certbot (even without the validation changes) are not worth it.

You are the perfect usecase for certbot. The rest of us aren't.

I'm not sure what you mean that the process can break. The way to use certificates are through haproxy/nginx/apache which are definitely more tested and stable than certbot. Half the internet still uses them and they support much more legacy than LE.

Letsencrypt was disruptive because it was free. It was not disruptive because of certbot.


If you rotated them manually every week then why not. Costly, not scalable, prone to errors etc.

There is probably a list of sites which forgot that there was a process. I saw that happening in Crédit Lyonnais (a french bank). On a Saturday night.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: