1/16/2025 at 7:32:20 PM
Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.by rickette
1/16/2025 at 8:10:02 PM
To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.by ryandrake
1/16/2025 at 10:33:27 PM
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenientI's only inconvenient because it isn't properly automated. That's by design.
When this can be a acme.sh script cronjob, there isn't much of an excuse. Even my Raspberry Pi dedicated to my 3D printer is happily renewing certificates.
At least with this thing breaking every 90 days you have it fresh on your mind. One year away you may not even remember what you have to do.
Needless to say, you have a bug to fix.
by outworlder
1/17/2025 at 3:41:08 AM
What does your 3D printer Pi serve such that it needs a cert? Do you have ports 80 and 443 open and forwarded to it?by theoreticalmal
1/17/2025 at 9:36:09 PM
I run certs on all my internal services so I don't have to deal with this isn't secure errors in the browser when working on things.by sanswork
1/16/2025 at 9:06:13 PM
Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.
You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.
I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.
by jeroenhd
1/17/2025 at 1:56:37 PM
I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.
I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.
by raxxor
1/17/2025 at 6:26:57 PM
It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.by patrakov
1/17/2025 at 9:44:04 PM
Are you... not monitoring those things otherwise?by atomicnumber3
1/17/2025 at 4:44:56 PM
> with just as script running every 90 daysFWIW you should run most ACME clients more often than that, just in case there's a performance issue or bug at Let's Encrypt's side. The tooling won't replace your certificates unless they're almost expiring anyway. Certbot's instructions will have you set up a cron job that runs twice a day.
> Some services do not load certificates while running and must be restarted
This is exactly the kind of software that needs fixing. Luckily for the critical, nine nines uptime cases where 5 seconds of downtime for the web server restarting is unacceptable, there are services that will sell you certificates valid for a full year or even longer.
I doubt year long certificates are going away soon. We're already years off Let's Encrypt ending their 90 days offering, for sure. The convenience factor isn't going away, at some point it'll just cost a bit more.
by jeroenhd
1/17/2025 at 9:30:25 AM
There are other "open" CAs that can be used for free. For example, Google Public CA, Buypass and ZeroSSL, which all support the ACME protocol though you need an account there to get EAB credentials, that then are configured in Certbot or whatever you use.by arielcostas
1/17/2025 at 8:02:05 PM
> I think keeping the validity long just removes incentives for people to bother fixing their setups.The best certificates should expire after 20ms. /s
by hulitu
1/16/2025 at 10:52:23 PM
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.
I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?
by tasuki
1/17/2025 at 3:49:32 PM
Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.by ryandrake
1/17/2025 at 8:37:26 AM
If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.by 5d41402abc4b
1/17/2025 at 3:45:32 PM
Put the ACME challenges in their own DNS zones. Grant the key permission to only that zone. Risk mitigated.by erincandescent
1/17/2025 at 5:06:52 PM
Is this possible on Porkbun?by crtasm
1/16/2025 at 10:42:01 PM
> [...] despite having automation set up.Clearly it's not working correctly, so a longer certificate lifetime wouldn't address the root cause - you would just have to fix your setup less often.
by MaKey
1/16/2025 at 11:43:53 PM
I don't know what your issues are, but perhaps the know-it-all people who comments on this with a variation of "you're doing it wrong" or a problem of "not enough automation" could cool down a bit and realize the web PKI is hacks build from hacks and there are many reasons why the public ACME system may not be entirely robust for every application.On the top of my head, that could be because one or more domains are not accessible from the public Internet (which could be for a variety of reasons), a subset of the subject domains having expired for legitimate reasons but you might not know which in advance (certificates being what they are some application rely on them having alternative names), intermittently flaky routing (which might not be a problem for the application), and a number of other reasons. That's without including potentially hostile actors. Then there are plenty of offline uses for certificates!
That said, Let's Encrypt has really been a revolution and made life better for many people. But it's not perfect and the PKI system itself has many warts. It's absolutely a system that may need a non negligible amount of babysitting when you venture outside the absolute mainstream.
by xorcist
1/16/2025 at 11:56:47 PM
If you're using LetsEncrypt without automation you're doing it wrong, and the reason that the WebPKI is so hacky is that it was insulated from basic computer science for 2 decades and run by enterprise software companies.You have to automate certificates. You can't do these by hand anymore. Certificate lifetimes are going to get inexorably shorter.
by tptacek
1/17/2025 at 3:56:20 PM
Wow, I came back to this thread and it unexpectedly blew up. Looks like my experience is not normal and L.E. is not flaky for anyone else on HN. Who knew my simple 6 line shell script has been buggy for a decade.I guess if you zoom out, one of the things I bristle with is LetsEncrypt's opinionated way of changing people's behavior. The short certificates were a deliberate decision, done to "get users to do X." They were pretty transparent about it. In my view, computers should do what users want them to do, not what developers want users to do. We've got enough software out there with notifications and consent dialogs begging users to do this and that, and this just adds to the problem.
I get that the software is free (which was a revolution in the PKI world at the time), but the short lifespan seems to be either a behavior modification experiment OR an annoyance to get people to fork over money for the better (better for users, not necessarily for security), longer-lived products.
by ryandrake
1/17/2025 at 5:04:26 PM
The short certificates aren't just a random opinion LetsEncrypt had that they decided to inflict on everybody; it's a recognition of the fact that revocation doesn't work, and so it's important to reduce the blast radius of a compromised certificate. There's now a broad consensus on this in the field. I understand your frustration, but you're going to have to get used to this one.It is, pretty obviously, not a weird scheme to get you to pay for certificates at some other CA.
by tptacek
1/17/2025 at 1:08:27 AM
Not really. PKI has always been that way since before the web. Mainly because the use cases are so varied and it there is the tendency to support every possibility under the sun.For the longest time the web PKI lacked a singular view on what exactly they were supposed to be signing. Its usage reflects that.
That is deeply rooted in culture. I mean, we do speak about a culture in which X.509 was a reasonable choice. Years after the X.500 universe was cold to the touch at that.
The rest of your comment seems directed at someone else. Framing this on automation is misleading, which is what the examples in my comment were intended to show.
by xorcist
1/16/2025 at 9:25:46 PM
I also use Certbot (v2.1.0) for my small VPS/hobby setup (www + email) and I haven't had to mess with it since I set it up in 2021. Just adding another data point so you know it doesn't have to be painful. I'll be happy to help, just drop me a line.by eikenberry
1/17/2025 at 5:15:56 AM
You could also terminate TLS or implement HTTPS with Caddy, which will auto-renew your certs for you.by supriyo-biswas
1/17/2025 at 8:29:00 AM
Curiously, even Apache2 has functionality in the form of mod_md: https://httpd.apache.org/docs/2.4/mod/mod_md.htmlNot as advanced as in Caddy (which will be a more pleasant option to use in many cases), but it's curious to see them adding something like that! Makes me wonder whether we'll also get some Nginx functionality like that out of the box sometime so certbot won't have to always be installed alongside it for sites that need to use ACME.
by KronisLV
1/17/2025 at 1:27:08 AM
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.I've been running an LE client (official one, dehydrated, others) on various system for ~8 years, and the one time I had an issue with renewing was when (AIUI) the LE folks changed CDNs and so their responses were (slightly) different and dehydrated needed to be tweaked:
* https://community.letsencrypt.org/t/jws-has-no-anti-replay-n...
* https://github.com/dehydrated-io/dehydrated/commit/e4e712c03...
Other than that, never had an issue.
by throw0101a
1/16/2025 at 8:35:07 PM
For me it's only ever an issue if I stop renewing a domain, which triggers issues somewhere next renewal and now nginx doesn't reload.Other than that, I've never had to babysit certbot. It's just a systemd timer job.
by Dries007
1/16/2025 at 10:57:09 PM
Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)? I currently use Namecheap, but they started requiring you to manually whitelist the client IP address to use their API, which is annoying when your residential ISP changes your IP address.Edit: seems like using Cloudflare as the DNS host is the way to go here. Thanks everyone!
by telotortium
1/17/2025 at 3:27:46 PM
> Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)?Here's a utility (and library) that can talk to several dozen APIs for DNS updates (use it as a hook in your ACME client):
* https://github.com/dns-lexicon/dns-lexicon
* Previously at: https://github.com/AnalogJ/lexicon
by throw0101c
1/16/2025 at 11:05:59 PM
If you are not allergic to Cloudflare, they work very well with the DNS-01 challenge and they provide both registrar services as well as DNS. Of course, you can use Namecheap domains with Cloudflare or any other DNS provider and that should solve your problem too.by jchw
1/16/2025 at 11:05:53 PM
Cloudflare has worked quite well for me as a DNS host. You don't need to have the registrar host the DNS records.by jhart99
1/17/2025 at 3:34:19 AM
I use DNSimple.com - it's working well, and has a stable API that can let you do anything.by bruce511
1/16/2025 at 11:04:43 PM
Digital ocean can be used as name servers without paying and they have an API. No clue how compatible.by birdman3131
1/17/2025 at 3:40:18 AM
I use Digital Ocean via Caddy and acme.sh with no problemsby coffee--
1/17/2025 at 9:05:36 AM
OVH works fine tooby BrandoElFollito
1/16/2025 at 9:57:36 PM
Is it possible for you to run Caddy as a reverse proxy in front of your services? I've done this in the past and it really is set and forget when it's configured correctly.by Rodeoclash
1/16/2025 at 10:10:55 PM
Heard positive things about Caddy before, do you know if it works with ip adresses as well?by ghxst
1/17/2025 at 12:02:34 AM
It does.by mholt
1/16/2025 at 8:13:23 PM
... which means automation was not setup correctly and 90 days is still too long that you just tolerated it. If it was 6 days after a few turns you would have decided "fuck it I'm going to spend time fixing it once and for all".by rfoo
1/16/2025 at 8:41:06 PM
Or perhaps, "I'm going to give up and switch to gmail once and for all"by jonas21
1/16/2025 at 9:16:42 PM
there are other email providers, you know. the choices are not "do it all myself" and "be Google's product."by dingnuts
1/17/2025 at 12:06:12 AM
How could the person you’re replying to have reasonably phrased their comment to avoid this snark from you?I’m 1,000% sure that they know what you’re trying to espouse. Nowhere in the comment does it say “here is an exhaustive list of hosted email providers”. It’s a JOKE.
by bolognafairy
1/16/2025 at 9:02:31 PM
These are the attitudes we get when we have a WebPKI cabal drunk on power.by likeabatterycar
1/17/2025 at 4:19:07 AM
Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
by ocdtrekkie
1/17/2025 at 8:41:26 AM
> They're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.
Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.
For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.
by KronisLV
1/17/2025 at 12:08:52 AM
[flagged]by bolognafairy
1/17/2025 at 9:04:24 AM
You could consider using caddy or traefik, there is nothing to configure (or access to your dns provider if you want to use this).I've been using them for years and never had to deal with certificates anymore.
by BrandoElFollito
1/17/2025 at 3:43:26 AM
I’ve been working on a different way to automate. Basically a script that does the renewal and then knows how to install to any destination.by memset
1/16/2025 at 11:17:06 PM
I'm used to certs in Kubernetes, so even 6 days is long-lived. 20 minutes is more like it.by lowsong
1/16/2025 at 11:20:02 PM
Doesn't that run into their rate limits if you generate a certificate every few minutes all the time? Or at least might be a burden, even if it didn't hit an absolute limit. (I'm assuming you're not the only person in the world doing this, so I mostly mean the collective effect this sort of usage pattern has)by Aachen
1/16/2025 at 11:25:23 PM
Sorry, I should have clarified. You can't do certificates that fast on Let's Encrypt no. I meant running a custom CA inside/alongside Kubernetes, and using that to issue 20-minute validity certs to pods.by lowsong
1/17/2025 at 12:03:03 AM
I’ve been using Let’s Encrypt since its release, including for identical-sounding home / hobbyist uses, and have never had these uses.I’m not saying that our use cases are truly identical, but from what you’ve described, I don’t think that your experience is simply “how things are”.
by bolognafairy
1/16/2025 at 8:16:59 PM
When Let's Encrypt got started in 2014, CAs could issue certificates valid for up to five years - and many did. The CA/Browser Forum has slowly been ratcheting that down.by duskwuff
1/17/2025 at 12:39:02 AM
That (five year certs) was technically true, but the CA/B BRs already told you that was going away in 2015 when Let's Encrypt was started. I don't know how many were still actually selling such a product by the point Let's Encrypt is on the scene.I think the drop-dead date for this product was like April 2015 or so. The ideal customer for a product like this (lazy and also incompetent but with plenty of money) is also likely to leave it too late. I won't guarantee we'd have caught that, but unlike forbidden steps taken to avert a bigger mess of ones own making (as happened for SHA-1 deprecation, some notable financial outfits secured certs which should not have existed, to cover for the fact they hadn't properly managed their own technical risks) this seems like a product category thing, nobody was openly selling certs that would just break in Chrome, that's a bad product.
[Why would such certificates break in Chrome? Google hate these long lived certs so Chrome treats certificates which have validity exceeding what the BRs authorise as immediately invalid, if you want to moan to Google about why your prohibited certs don't work you're basically admitting you violated your agreement with them so it's like showing up to claim your stolen rucksack full of cocaine from the cops...]
by tialaramex
1/17/2025 at 8:26:15 AM
> Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.Surely there are tradeoffs in having to rotate the certs that often, right? Notably, considerable load on their infrastructure. I get that urging people to automate their renewals makes sense (though I've also heard people unironically saying: "I want it to be a manual process, so I know how it works instead of relying on some black box"), but it seems that shorter and shorter cert lifetimes might put more strain on a service that nigh everyone seems to just be using for free.
Edit: at least there are a lot of prominent companies here https://letsencrypt.org/sponsors/
by KronisLV
1/17/2025 at 10:01:03 AM
I just looked into OCSP and their planned sunsetting of their OCSP server, and it seems like they'd much rather scale this as their core activity than provide/maintain/scale other stuff like the OCSP service.by raihansaputra