To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient
I's only inconvenient because it isn't properly automated. That's by design.
When this can be a acme.sh script cronjob, there isn't much of an excuse. Even my Raspberry Pi dedicated to my 3D printer is happily renewing certificates.
At least with this thing breaking every 90 days you have it fresh on your mind. One year away you may not even remember what you have to do.
Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).
I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.
You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.
I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.
I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.
Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.
I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.
It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.
FWIW you should run most ACME clients more often than that, just in case there's a performance issue or bug at Let's Encrypt's side. The tooling won't replace your certificates unless they're almost expiring anyway. Certbot's instructions will have you set up a cron job that runs twice a day.
> Some services do not load certificates while running and must be restarted
This is exactly the kind of software that needs fixing. Luckily for the critical, nine nines uptime cases where 5 seconds of downtime for the web server restarting is unacceptable, there are services that will sell you certificates valid for a full year or even longer.
I doubt year long certificates are going away soon. We're already years off Let's Encrypt ending their 90 days offering, for sure. The convenience factor isn't going away, at some point it'll just cost a bit more.
There are other "open" CAs that can be used for free. For example, Google Public CA, Buypass and ZeroSSL, which all support the ACME protocol though you need an account there to get EAB credentials, that then are configured in Certbot or whatever you use.
Clearly it's not working correctly, so a longer certificate lifetime wouldn't address the root cause - you would just have to fix your setup less often.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.
I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.
I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?
If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.
Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.
I also use Certbot (v2.1.0) for my small VPS/hobby setup (www + email) and I haven't had to mess with it since I set it up in 2021. Just adding another data point so you know it doesn't have to be painful. I'll be happy to help, just drop me a line.
I don't know what your issues are, but perhaps the know-it-all people who comments on this with a variation of "you're doing it wrong" or a problem of "not enough automation" could cool down a bit and realize the web PKI is hacks build from hacks and there are many reasons why the public ACME system may not be entirely robust for every application.
On the top of my head, that could be because one or more domains are not accessible from the public Internet (which could be for a variety of reasons), a subset of the subject domains having expired for legitimate reasons but you might not know which in advance (certificates being what they are some application rely on them having alternative names), intermittently flaky routing (which might not be a problem for the application), and a number of other reasons. That's without including potentially hostile actors. Then there are plenty of offline uses for certificates!
That said, Let's Encrypt has really been a revolution and made life better for many people. But it's not perfect and the PKI system itself has many warts. It's absolutely a system that may need a non negligible amount of babysitting when you venture outside the absolute mainstream.
If you're using LetsEncrypt without automation you're doing it wrong, and the reason that the WebPKI is so hacky is that it was insulated from basic computer science for 2 decades and run by enterprise software companies.
You have to automate certificates. You can't do these by hand anymore. Certificate lifetimes are going to get inexorably shorter.
Wow, I came back to this thread and it unexpectedly blew up. Looks like my experience is not normal and L.E. is not flaky for anyone else on HN. Who knew my simple 6 line shell script has been buggy for a decade.
I guess if you zoom out, one of the things I bristle with is LetsEncrypt's opinionated way of changing people's behavior. The short certificates were a deliberate decision, done to "get users to do X." They were pretty transparent about it. In my view, computers should do what users want them to do, not what developers want users to do. We've got enough software out there with notifications and consent dialogs begging users to do this and that, and this just adds to the problem.
I get that the software is free (which was a revolution in the PKI world at the time), but the short lifespan seems to be either a behavior modification experiment OR an annoyance to get people to fork over money for the better (better for users, not necessarily for security), longer-lived products.
The short certificates aren't just a random opinion LetsEncrypt had that they decided to inflict on everybody; it's a recognition of the fact that revocation doesn't work, and so it's important to reduce the blast radius of a compromised certificate. There's now a broad consensus on this in the field. I understand your frustration, but you're going to have to get used to this one.
It is, pretty obviously, not a weird scheme to get you to pay for certificates at some other CA.
Not really. PKI has always been that way since before the web. Mainly because the use cases are so varied and it there is the tendency to support every possibility under the sun.
For the longest time the web PKI lacked a singular view on what exactly they were supposed to be signing. Its usage reflects that.
That is deeply rooted in culture. I mean, we do speak about a culture in which X.509 was a reasonable choice. Years after the X.500 universe was cold to the touch at that.
The rest of your comment seems directed at someone else. Framing this on automation is misleading, which is what the examples in my comment were intended to show.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.
I've been running an LE client (official one, dehydrated, others) on various system for ~8 years, and the one time I had an issue with renewing was when (AIUI) the LE folks changed CDNs and so their responses were (slightly) different and dehydrated needed to be tweaked:
Not as advanced as in Caddy (which will be a more pleasant option to use in many cases), but it's curious to see them adding something like that! Makes me wonder whether we'll also get some Nginx functionality like that out of the box sometime so certbot won't have to always be installed alongside it for sites that need to use ACME.
... which means automation was not setup correctly and 90 days is still too long that you just tolerated it. If it was 6 days after a few turns you would have decided "fuck it I'm going to spend time fixing it once and for all".
How could the person you’re replying to have reasonably phrased their comment to avoid this snark from you?
I’m 1,000% sure that they know what you’re trying to espouse. Nowhere in the comment does it say “here is an exhaustive list of hosted email providers”. It’s a JOKE.
Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
> They're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.
Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.
For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.
So first and foremost, nearly every enterprise organization is still shifting a few files every 11 months thanks to the CAB. This isn't the past, it's the present.
Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging. Automation breaks so even automated shorter-lifetime certificates will still accelerate and increase this damage.
And finally, nobody who's ever tried justifying the CAB's behavior has actually been able to demonstrate the CAB is solving real world problems. I want someone from the CAB to show me a real world exploit that happened that was because someone got a hold of a certificate between 7 and 90 days old and was able to use that maliciously.
If someone from the CAB can't do that, the entire CAB should be disbanded.
Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
> Regarding your "skill issue" comment, it really only demonstrates you have some growing up to do. There's a lot of real world complexity in operating business-critical and life-critical services, and it's obvious you lack experience with both.
I believe that this is out of place and perhaps a result of reading things with an uncharitable interpretation.
The skill floor part of the comment isn't me attempting to blame someone, but rather point out that needing this sort of automation complicates things and adds friction. If the only certificates that you get for free (e.g. Let's Encrypt) are short lived, then you can't just sit down once a year and move some files around, you need certbot / mod_md / Caddy and all that comes with it. Of course, you still have the longer lived commercial certs, but it's odd to see how the trend is shifting towards ACME. Not the end of the world for most, but also something that a mom & pop shop might prefer not to deal with. Or, you know, environments with specific requirements.
> So you need to understand that making certs expire more is inherently damaging.
For this, I make no claims one way or the other. To me, concerns about long lived certificates seem valid, as do those about short lived ones, both have risks associated with them. Which is the better approach? You decide for yourself. Except most people don't get to decide and just have to roll along with whatever the industry at large settles on.
When you talk about there being risks to both short and long lived certificates, that is true, but it's omitting very important detail: Short-lived certificates have practical, real-world risks that are actually happening every day. People die when the Internet breaks. Long-lived certificates have some imaginary and hypothetical security risks that the CAB is very scared of but mostly don't happen.
In any good risk management scenario you have to weigh the cost/benefit of a change in terms of what benefits it offers and what tradeoffs it has. The CAB has repeatedly demonstrated complete inability to consider the risk profile of their behavior. They are unqualified for the job, and unfortunately, accountable to noone.
> Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging.
Uh, no. Most of the outage due to certificate expiry is not caused by subtly broken automation. It's caused by non-existent automation or outright broken (never gonna work) automation.
So, if you make certificates expire in 6 days, you are not going to have these outages. They will be caught during develop.
People just pretend it's okay and forget about 1 year certs. With 6 days cert it would be impossible to pretend it's okay to shift a few files manually. Or maybe some organizations will setup a human-run rotation which actually does shifting a few files every 3 days, that's totally okay. You don't need automation. You just need a way to consistently make sure your certificate won't expire in prod (and in emergency, able to quickly replace a cert).
Certificates with 1 year expiry is nothing but a dangerous footgun. It's worse than 30 years expiry, at least with 30 years expiry you don't get outages.
Is it possible for you to run Caddy as a reverse proxy in front of your services? I've done this in the past and it really is set and forget when it's configured correctly.
Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)? I currently use Namecheap, but they started requiring you to manually whitelist the client IP address to use their API, which is annoying when your residential ISP changes your IP address.
Edit: seems like using Cloudflare as the DNS host is the way to go here. Thanks everyone!
If you are not allergic to Cloudflare, they work very well with the DNS-01 challenge and they provide both registrar services as well as DNS. Of course, you can use Namecheap domains with Cloudflare or any other DNS provider and that should solve your problem too.
> Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)?
Here's a utility (and library) that can talk to several dozen APIs for DNS updates (use it as a hook in your ACME client):
Doesn't that run into their rate limits if you generate a certificate every few minutes all the time? Or at least might be a burden, even if it didn't hit an absolute limit. (I'm assuming you're not the only person in the world doing this, so I mostly mean the collective effect this sort of usage pattern has)
Sorry, I should have clarified. You can't do certificates that fast on Let's Encrypt no. I meant running a custom CA inside/alongside Kubernetes, and using that to issue 20-minute validity certs to pods.
