Comment by rickette 2 days ago
Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient
I's only inconvenient because it isn't properly automated. That's by design.
When this can be a acme.sh script cronjob, there isn't much of an excuse. Even my Raspberry Pi dedicated to my 3D printer is happily renewing certificates.
At least with this thing breaking every 90 days you have it fresh on your mind. One year away you may not even remember what you have to do.
Needless to say, you have a bug to fix.
What does your 3D printer Pi serve such that it needs a cert? Do you have ports 80 and 443 open and forwarded to it?
Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).
I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.
You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.
I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.
I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.
Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.
I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.
It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.
> with just as script running every 90 days
FWIW you should run most ACME clients more often than that, just in case there's a performance issue or bug at Let's Encrypt's side. The tooling won't replace your certificates unless they're almost expiring anyway. Certbot's instructions will have you set up a cron job that runs twice a day.
> Some services do not load certificates while running and must be restarted
This is exactly the kind of software that needs fixing. Luckily for the critical, nine nines uptime cases where 5 seconds of downtime for the web server restarting is unacceptable, there are services that will sell you certificates valid for a full year or even longer.
I doubt year long certificates are going away soon. We're already years off Let's Encrypt ending their 90 days offering, for sure. The convenience factor isn't going away, at some point it'll just cost a bit more.
There are other "open" CAs that can be used for free. For example, Google Public CA, Buypass and ZeroSSL, which all support the ACME protocol though you need an account there to get EAB credentials, that then are configured in Certbot or whatever you use.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.
I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.
I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?
If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.
Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.
I don't know what your issues are, but perhaps the know-it-all people who comments on this with a variation of "you're doing it wrong" or a problem of "not enough automation" could cool down a bit and realize the web PKI is hacks build from hacks and there are many reasons why the public ACME system may not be entirely robust for every application.
On the top of my head, that could be because one or more domains are not accessible from the public Internet (which could be for a variety of reasons), a subset of the subject domains having expired for legitimate reasons but you might not know which in advance (certificates being what they are some application rely on them having alternative names), intermittently flaky routing (which might not be a problem for the application), and a number of other reasons. That's without including potentially hostile actors. Then there are plenty of offline uses for certificates!
That said, Let's Encrypt has really been a revolution and made life better for many people. But it's not perfect and the PKI system itself has many warts. It's absolutely a system that may need a non negligible amount of babysitting when you venture outside the absolute mainstream.
If you're using LetsEncrypt without automation you're doing it wrong, and the reason that the WebPKI is so hacky is that it was insulated from basic computer science for 2 decades and run by enterprise software companies.
You have to automate certificates. You can't do these by hand anymore. Certificate lifetimes are going to get inexorably shorter.
Wow, I came back to this thread and it unexpectedly blew up. Looks like my experience is not normal and L.E. is not flaky for anyone else on HN. Who knew my simple 6 line shell script has been buggy for a decade.
I guess if you zoom out, one of the things I bristle with is LetsEncrypt's opinionated way of changing people's behavior. The short certificates were a deliberate decision, done to "get users to do X." They were pretty transparent about it. In my view, computers should do what users want them to do, not what developers want users to do. We've got enough software out there with notifications and consent dialogs begging users to do this and that, and this just adds to the problem.
I get that the software is free (which was a revolution in the PKI world at the time), but the short lifespan seems to be either a behavior modification experiment OR an annoyance to get people to fork over money for the better (better for users, not necessarily for security), longer-lived products.
The short certificates aren't just a random opinion LetsEncrypt had that they decided to inflict on everybody; it's a recognition of the fact that revocation doesn't work, and so it's important to reduce the blast radius of a compromised certificate. There's now a broad consensus on this in the field. I understand your frustration, but you're going to have to get used to this one.
It is, pretty obviously, not a weird scheme to get you to pay for certificates at some other CA.
Not really. PKI has always been that way since before the web. Mainly because the use cases are so varied and it there is the tendency to support every possibility under the sun.
For the longest time the web PKI lacked a singular view on what exactly they were supposed to be signing. Its usage reflects that.
That is deeply rooted in culture. I mean, we do speak about a culture in which X.509 was a reasonable choice. Years after the X.500 universe was cold to the touch at that.
The rest of your comment seems directed at someone else. Framing this on automation is misleading, which is what the examples in my comment were intended to show.
I also use Certbot (v2.1.0) for my small VPS/hobby setup (www + email) and I haven't had to mess with it since I set it up in 2021. Just adding another data point so you know it doesn't have to be painful. I'll be happy to help, just drop me a line.
> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.
I've been running an LE client (official one, dehydrated, others) on various system for ~8 years, and the one time I had an issue with renewing was when (AIUI) the LE folks changed CDNs and so their responses were (slightly) different and dehydrated needed to be tweaked:
* https://community.letsencrypt.org/t/jws-has-no-anti-replay-n...
* https://github.com/dehydrated-io/dehydrated/commit/e4e712c03...
Other than that, never had an issue.
You could also terminate TLS or implement HTTPS with Caddy, which will auto-renew your certs for you.
Curiously, even Apache2 has functionality in the form of mod_md: https://httpd.apache.org/docs/2.4/mod/mod_md.html
Not as advanced as in Caddy (which will be a more pleasant option to use in many cases), but it's curious to see them adding something like that! Makes me wonder whether we'll also get some Nginx functionality like that out of the box sometime so certbot won't have to always be installed alongside it for sites that need to use ACME.
... which means automation was not setup correctly and 90 days is still too long that you just tolerated it. If it was 6 days after a few turns you would have decided "fuck it I'm going to spend time fixing it once and for all".
How could the person you’re replying to have reasonably phrased their comment to avoid this snark from you?
I’m 1,000% sure that they know what you’re trying to espouse. Nowhere in the comment does it say “here is an exhaustive list of hosted email providers”. It’s a JOKE.
These are the attitudes we get when we have a WebPKI cabal drunk on power.
Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.
But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.
Is it possible for you to run Caddy as a reverse proxy in front of your services? I've done this in the past and it really is set and forget when it's configured correctly.
Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)? I currently use Namecheap, but they started requiring you to manually whitelist the client IP address to use their API, which is annoying when your residential ISP changes your IP address.
Edit: seems like using Cloudflare as the DNS host is the way to go here. Thanks everyone!
If you are not allergic to Cloudflare, they work very well with the DNS-01 challenge and they provide both registrar services as well as DNS. Of course, you can use Namecheap domains with Cloudflare or any other DNS provider and that should solve your problem too.
> Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)?
Here's a utility (and library) that can talk to several dozen APIs for DNS updates (use it as a hook in your ACME client):
* https://github.com/dns-lexicon/dns-lexicon
* Previously at: https://github.com/AnalogJ/lexicon
Digital ocean can be used as name servers without paying and they have an API. No clue how compatible.
I’ve been working on a different way to automate. Basically a script that does the renewal and then knows how to install to any destination.
You could consider using caddy or traefik, there is nothing to configure (or access to your dns provider if you want to use this).
I've been using them for years and never had to deal with certificates anymore.
Doesn't that run into their rate limits if you generate a certificate every few minutes all the time? Or at least might be a burden, even if it didn't hit an absolute limit. (I'm assuming you're not the only person in the world doing this, so I mostly mean the collective effect this sort of usage pattern has)
I’ve been using Let’s Encrypt since its release, including for identical-sounding home / hobbyist uses, and have never had these uses.
I’m not saying that our use cases are truly identical, but from what you’ve described, I don’t think that your experience is simply “how things are”.
That (five year certs) was technically true, but the CA/B BRs already told you that was going away in 2015 when Let's Encrypt was started. I don't know how many were still actually selling such a product by the point Let's Encrypt is on the scene.
I think the drop-dead date for this product was like April 2015 or so. The ideal customer for a product like this (lazy and also incompetent but with plenty of money) is also likely to leave it too late. I won't guarantee we'd have caught that, but unlike forbidden steps taken to avert a bigger mess of ones own making (as happened for SHA-1 deprecation, some notable financial outfits secured certs which should not have existed, to cover for the fact they hadn't properly managed their own technical risks) this seems like a product category thing, nobody was openly selling certs that would just break in Chrome, that's a bad product.
[Why would such certificates break in Chrome? Google hate these long lived certs so Chrome treats certificates which have validity exceeding what the BRs authorise as immediately invalid, if you want to moan to Google about why your prohibited certs don't work you're basically admitting you violated your agreement with them so it's like showing up to claim your stolen rucksack full of cocaine from the cops...]
> Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.
Surely there are tradeoffs in having to rotate the certs that often, right? Notably, considerable load on their infrastructure. I get that urging people to automate their renewals makes sense (though I've also heard people unironically saying: "I want it to be a manual process, so I know how it works instead of relying on some black box"), but it seems that shorter and shorter cert lifetimes might put more strain on a service that nigh everyone seems to just be using for free.
Edit: at least there are a lot of prominent companies here https://letsencrypt.org/sponsors/
I just looked into OCSP and their planned sunsetting of their OCSP server, and it seems like they'd much rather scale this as their core activity than provide/maintain/scale other stuff like the OCSP service.
To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.