Comment by ryandrake

Comment by ryandrake 2 days ago

55 replies

View on Hacker News

To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.

outworlder 2 days ago

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient

I's only inconvenient because it isn't properly automated. That's by design.

When this can be a acme.sh script cronjob, there isn't much of an excuse. Even my Raspberry Pi dedicated to my 3D printer is happily renewing certificates.

At least with this thing breaking every 90 days you have it fresh on your mind. One year away you may not even remember what you have to do.

Needless to say, you have a bug to fix.

Reply View 2 replies
  • theoreticalmal 2 days ago

    What does your 3D printer Pi serve such that it needs a cert? Do you have ports 80 and 443 open and forwarded to it?

    Reply View 1 reply
    • sanswork a day ago

      I run certs on all my internal services so I don't have to deal with this isn't secure errors in the browser when working on things.

      Reply View 0 replies
jeroenhd 2 days ago

Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).

I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.

You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.

I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.

Reply View 6 replies
  • raxxor a day ago

    I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.

    Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.

    I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.

    Reply View 3 replies
    • patrakov a day ago

      It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.

      Reply View 1 reply
    • jeroenhd a day ago

      > with just as script running every 90 days

      FWIW you should run most ACME clients more often than that, just in case there's a performance issue or bug at Let's Encrypt's side. The tooling won't replace your certificates unless they're almost expiring anyway. Certbot's instructions will have you set up a cron job that runs twice a day.

      > Some services do not load certificates while running and must be restarted

      This is exactly the kind of software that needs fixing. Luckily for the critical, nine nines uptime cases where 5 seconds of downtime for the web server restarting is unacceptable, there are services that will sell you certificates valid for a full year or even longer.

      I doubt year long certificates are going away soon. We're already years off Let's Encrypt ending their 90 days offering, for sure. The convenience factor isn't going away, at some point it'll just cost a bit more.

      Reply View 0 replies
  • arielcostas 2 days ago

    There are other "open" CAs that can be used for free. For example, Google Public CA, Buypass and ZeroSSL, which all support the ACME protocol though you need an account there to get EAB credentials, that then are configured in Certbot or whatever you use.

    Reply View 0 replies
  • hulitu a day ago

    > I think keeping the validity long just removes incentives for people to bother fixing their setups.

    The best certificates should expire after 20ms. /s

    Reply View 0 replies
MaKey 2 days ago

> [...] despite having automation set up.

Clearly it's not working correctly, so a longer certificate lifetime wouldn't address the root cause - you would just have to fix your setup less often.

Reply View 0 replies
tasuki 2 days ago

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.

I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.

I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?

Reply View 4 replies
  • 5d41402abc4b 2 days ago

    If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.

    Reply View 2 replies
    • erincandescent a day ago

      Put the ACME challenges in their own DNS zones. Grant the key permission to only that zone. Risk mitigated.

      Reply View 1 reply
  • ryandrake a day ago

    Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.

    Reply View 0 replies
xorcist 2 days ago

I don't know what your issues are, but perhaps the know-it-all people who comments on this with a variation of "you're doing it wrong" or a problem of "not enough automation" could cool down a bit and realize the web PKI is hacks build from hacks and there are many reasons why the public ACME system may not be entirely robust for every application.

On the top of my head, that could be because one or more domains are not accessible from the public Internet (which could be for a variety of reasons), a subset of the subject domains having expired for legitimate reasons but you might not know which in advance (certificates being what they are some application rely on them having alternative names), intermittently flaky routing (which might not be a problem for the application), and a number of other reasons. That's without including potentially hostile actors. Then there are plenty of offline uses for certificates!

That said, Let's Encrypt has really been a revolution and made life better for many people. But it's not perfect and the PKI system itself has many warts. It's absolutely a system that may need a non negligible amount of babysitting when you venture outside the absolute mainstream.

Reply View 4 replies
  • tptacek 2 days ago

    If you're using LetsEncrypt without automation you're doing it wrong, and the reason that the WebPKI is so hacky is that it was insulated from basic computer science for 2 decades and run by enterprise software companies.

    You have to automate certificates. You can't do these by hand anymore. Certificate lifetimes are going to get inexorably shorter.

    Reply View 3 replies
    • ryandrake a day ago

      Wow, I came back to this thread and it unexpectedly blew up. Looks like my experience is not normal and L.E. is not flaky for anyone else on HN. Who knew my simple 6 line shell script has been buggy for a decade.

      I guess if you zoom out, one of the things I bristle with is LetsEncrypt's opinionated way of changing people's behavior. The short certificates were a deliberate decision, done to "get users to do X." They were pretty transparent about it. In my view, computers should do what users want them to do, not what developers want users to do. We've got enough software out there with notifications and consent dialogs begging users to do this and that, and this just adds to the problem.

      I get that the software is free (which was a revolution in the PKI world at the time), but the short lifespan seems to be either a behavior modification experiment OR an annoyance to get people to fork over money for the better (better for users, not necessarily for security), longer-lived products.

      Reply View 1 reply
      • tptacek a day ago

        The short certificates aren't just a random opinion LetsEncrypt had that they decided to inflict on everybody; it's a recognition of the fact that revocation doesn't work, and so it's important to reduce the blast radius of a compromised certificate. There's now a broad consensus on this in the field. I understand your frustration, but you're going to have to get used to this one.

        It is, pretty obviously, not a weird scheme to get you to pay for certificates at some other CA.

        Reply View 0 replies
    • xorcist 2 days ago

      Not really. PKI has always been that way since before the web. Mainly because the use cases are so varied and it there is the tendency to support every possibility under the sun.

      For the longest time the web PKI lacked a singular view on what exactly they were supposed to be signing. Its usage reflects that.

      That is deeply rooted in culture. I mean, we do speak about a culture in which X.509 was a reasonable choice. Years after the X.500 universe was cold to the touch at that.

      The rest of your comment seems directed at someone else. Framing this on automation is misleading, which is what the examples in my comment were intended to show.

      Reply View 0 replies
eikenberry 2 days ago

I also use Certbot (v2.1.0) for my small VPS/hobby setup (www + email) and I haven't had to mess with it since I set it up in 2021. Just adding another data point so you know it doesn't have to be painful. I'll be happy to help, just drop me a line.

Reply View 0 replies
throw0101a 2 days ago

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.

I've been running an LE client (official one, dehydrated, others) on various system for ~8 years, and the one time I had an issue with renewing was when (AIUI) the LE folks changed CDNs and so their responses were (slightly) different and dehydrated needed to be tweaked:

* https://community.letsencrypt.org/t/jws-has-no-anti-replay-n...

* https://github.com/dehydrated-io/dehydrated/commit/e4e712c03...

Other than that, never had an issue.

Reply View 0 replies
supriyo-biswas 2 days ago

You could also terminate TLS or implement HTTPS with Caddy, which will auto-renew your certs for you.

Reply View 1 reply
  • KronisLV 2 days ago

    Curiously, even Apache2 has functionality in the form of mod_md: https://httpd.apache.org/docs/2.4/mod/mod_md.html

    Not as advanced as in Caddy (which will be a more pleasant option to use in many cases), but it's curious to see them adding something like that! Makes me wonder whether we'll also get some Nginx functionality like that out of the box sometime so certbot won't have to always be installed alongside it for sites that need to use ACME.

    Reply View 0 replies
Dries007 2 days ago

For me it's only ever an issue if I stop renewing a domain, which triggers issues somewhere next renewal and now nginx doesn't reload.

Other than that, I've never had to babysit certbot. It's just a systemd timer job.

Reply View 1 reply
  • [removed] 2 days ago
    [deleted]
    Reply View 0 replies
rfoo 2 days ago

... which means automation was not setup correctly and 90 days is still too long that you just tolerated it. If it was 6 days after a few turns you would have decided "fuck it I'm going to spend time fixing it once and for all".

Reply View 10 replies
  • jonas21 2 days ago

    Or perhaps, "I'm going to give up and switch to gmail once and for all"

    Reply View 2 replies
    • dingnuts 2 days ago

      there are other email providers, you know. the choices are not "do it all myself" and "be Google's product."

      Reply View 1 reply
      • bolognafairy 2 days ago

        How could the person you’re replying to have reasonably phrased their comment to avoid this snark from you?

        I’m 1,000% sure that they know what you’re trying to espouse. Nowhere in the comment does it say “here is an exhaustive list of hosted email providers”. It’s a JOKE.

        Reply View 0 replies
  • likeabatterycar 2 days ago

    These are the attitudes we get when we have a WebPKI cabal drunk on power.

    Reply View 6 replies
    • ocdtrekkie 2 days ago

      Unsurprisingly the 100% true comment in here is gray: PKI is breaking the Internet and because the PKI folks have literally no guardrails of any kind, they're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.

      But hey, there's an upside: When they finally break this toy badly enough, everyone will finally evict the CAB from their lives and do something else.

      Reply View 4 replies
      • KronisLV 2 days ago

        > They're committed to breaking it further despite still virtually zero benefit from constantly making the Internet more fragile.

        I think that shorter cert lifetimes and the push for more automation is a valid direction to look in and work towards. But at the same time that means that there's a certain skill floor and also certain tech that you need to have in place to be able to work with all of that.

        Back in the day, you'd just have someone sit down once in a year, move a few files around your server and call it a day. With the current trends, that won't really be possible, at least not for any of the certs that you can get for free.

        For my public facing stuff, I just bit the bullet and went through with the automation (certbot is nice, mod_md is okay, Caddy is great), but for my personal stuff I settled on running my own CA and self-signing stuff. If I want a 10 year cert expiry for something that I don't really care that much about, I'll go ahead and do that because I'm in control. The server itself is unlikely to survive for long anyways and other development stuff is more likely to break first, so I'd rather spend my time there, rather than on automation that I don't need. Plus, mTLS is suddenly easy to do as an added security layer if I ever need to expose something to-the-outside-but-actually-just-for-myself-when-on-the-move.

        Reply View 3 replies
Rodeoclash 2 days ago

Is it possible for you to run Caddy as a reverse proxy in front of your services? I've done this in the past and it really is set and forget when it's configured correctly.

Reply View 2 replies
  • ghxst 2 days ago

    Heard positive things about Caddy before, do you know if it works with ip adresses as well?

    Reply View 1 reply
telotortium 2 days ago

Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)? I currently use Namecheap, but they started requiring you to manually whitelist the client IP address to use their API, which is annoying when your residential ISP changes your IP address.

Edit: seems like using Cloudflare as the DNS host is the way to go here. Thanks everyone!

Reply View 7 replies
  • jchw 2 days ago

    If you are not allergic to Cloudflare, they work very well with the DNS-01 challenge and they provide both registrar services as well as DNS. Of course, you can use Namecheap domains with Cloudflare or any other DNS provider and that should solve your problem too.

    Reply View 0 replies
  • throw0101c a day ago

    > Speaking of the topic of automation, does anyone know of a domain registry that is suitable for issuing Let's Encrypt certificates for a machine behind a firewall (which requires using the DNS challenge)?

    Here's a utility (and library) that can talk to several dozen APIs for DNS updates (use it as a hook in your ACME client):

    * https://github.com/dns-lexicon/dns-lexicon

    * Previously at: https://github.com/AnalogJ/lexicon

    Reply View 0 replies
  • jhart99 2 days ago

    Cloudflare has worked quite well for me as a DNS host. You don't need to have the registrar host the DNS records.

    Reply View 0 replies
  • bruce511 2 days ago

    I use DNSimple.com - it's working well, and has a stable API that can let you do anything.

    Reply View 0 replies
  • birdman3131 2 days ago

    Digital ocean can be used as name servers without paying and they have an API. No clue how compatible.

    Reply View 1 reply
    • coffee-- 2 days ago

      I use Digital Ocean via Caddy and acme.sh with no problems

      Reply View 0 replies
BrandoElFollito 2 days ago

You could consider using caddy or traefik, there is nothing to configure (or access to your dns provider if you want to use this).

I've been using them for years and never had to deal with certificates anymore.

Reply View 0 replies
lowsong 2 days ago

I'm used to certs in Kubernetes, so even 6 days is long-lived. 20 minutes is more like it.

Reply View 2 replies
  • Aachen 2 days ago

    Doesn't that run into their rate limits if you generate a certificate every few minutes all the time? Or at least might be a burden, even if it didn't hit an absolute limit. (I'm assuming you're not the only person in the world doing this, so I mostly mean the collective effect this sort of usage pattern has)

    Reply View 1 reply
    • lowsong 2 days ago

      Sorry, I should have clarified. You can't do certificates that fast on Let's Encrypt no. I meant running a custom CA inside/alongside Kubernetes, and using that to issue 20-minute validity certs to pods.

      Reply View 0 replies
bolognafairy 2 days ago

I’ve been using Let’s Encrypt since its release, including for identical-sounding home / hobbyist uses, and have never had these uses.

I’m not saying that our use cases are truly identical, but from what you’ve described, I don’t think that your experience is simply “how things are”.

Reply View 0 replies