Comment by ray_v

Comment by ray_v 2 days ago

14 replies

View on Hacker News

This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?

Arnavion 2 days ago

I agree. Anecdotally, the last time LE had an outage that prevented my cert from renewing, it took about ~4.5 days from when I reported the issue to them to when they started looking and provided a workaround. Since this was a 90-day cert it still had 30 days left on it, so I wasn't worried. If it had been a 6-day cert and only had 2 days left on it, I would've had to go to red alert and switch to another CA ASAP.

https://community.letsencrypt.org/t/post-to-new-order-url-fa...

If they do start providing 6-day certs I hope their turnaround on issue reports is faster than that (and ideally have something better for reporting issues than a community forum where you have to suffer clueless morons spamming your thread).

Reply View 0 replies
mholt 2 days ago

Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

Reply View 5 replies
  • deathanatos 2 days ago

    > That, and extended week-long outages are extremely unlikely.

    You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

    For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

    Reply View 2 replies
    • mholt 2 days ago

      True, but it doesn't matter since competent clients should be falling back to other CAs anyway.

      Reply View 1 reply
      • bmicraft 2 days ago

        Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.

        Reply View 0 replies
  • mkj a day ago

    I suspect ZeroSSL might have capacity problems if the entire userbase of letencrypt moved to them in a few days. Letsencrypt are talking about 100 million certs/day in future?

    Reply View 0 replies
  • cyberax 2 days ago

    Plenty of clients don't have that option. E.g.: Synology NAS, Mikrotik routers.

    Reply View 0 replies
arianvanp 2 days ago

A 7 day outage seems rather unlikely no?

Reply View 6 replies
  • pilif 2 days ago

    In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.

    Reply View 5 replies
    • zzyzxd 2 days ago

      I am not saying 6 days is long enough, but if your automation always wait until the last minute to renew certs, you may have more issues to worry about than the CA's availability. If I am going to use a cert with 6 days lifetime I will be renewing it at least once a day.

      Reply View 4 replies
      • ncruces 2 days ago

        Yeah, that conflicts with their rate limits, which I hope they'll revise under this scheme.

        https://letsencrypt.org/docs/rate-limits/

        For the “exact same set of hostnames” (aka. renewals) the rate limit is 5 certificates every 7 days.

        So you could do it every other day, if you can make sure there's only one client doing it.

        And they're very clear this is a global limit: creating multiple accounts doesn't subvert it.

        So you'll need to manage this centrally, if you have multiple hosts sharing a hostname.

        Reply View 3 replies