Comment by mholt

Comment by mholt 2 days ago

Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

deathanatos 2 days ago

> That, and extended week-long outages are extremely unlikely.

You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

Reply View 2 replies

mholt 2 days ago

True, but it doesn't matter since competent clients should be falling back to other CAs anyway.

Reply View | 1 reply
- bmicraft 2 days ago
  
  Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.
  
  Reply View | 0 replies

mkj a day ago

I suspect ZeroSSL might have capacity problems if the entire userbase of letencrypt moved to them in a few days. Letsencrypt are talking about 100 million certs/day in future?

Reply View 0 replies

cyberax 2 days ago

Plenty of clients don't have that option. E.g.: Synology NAS, Mikrotik routers.

Reply View 0 replies