Comment by deathanatos

Comment by deathanatos 2 days ago

2 replies

View on Hacker News

> That, and extended week-long outages are extremely unlikely.

You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

mholt 2 days ago

True, but it doesn't matter since competent clients should be falling back to other CAs anyway.

Reply View 1 reply
  • bmicraft 2 days ago

    Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.

    Reply View 0 replies