Comment by jakeogh

Comment by jakeogh a day ago

"This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow."

I dont follow. Why? Why not an hour? A ssl failure is a very effective way to shut down a site.

"you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide."

Oh that sounds wonderful. So every small site that took the LE bait needs expensive help to stay online.

Do they track and publish the sites they take down?

Semaphor a day ago

LE bait. Wow.

To your actual content, unless you did something weird and special snowflake like, everything will just keep working with this.

Reply View 0 replies

charcircuit a day ago

They've been slowly moving the time lower and lower. It will go lower than 45 days in the future, but the reason why we don't go immediately to 1 hour is that it would be too much of a shock.

>So every small site that took the LE bait needs expensive help to stay online.

It's all automated. They don't need help to stay online.

Reply View 3 replies

jakeogh a day ago

re too much shock, how so?

Reply View | 1 reply
- nickf a day ago
  
  I'd say two big reasons: 1) A lot of people/enterprises/companies/systems are not ready. They're simply not automated or even close to it.
  2) Clock skew.
  
  Reply View | 0 replies
TZubiri a day ago

Nope. I renew my LE certs manually. I take my http server down, run certbot, and pull http back online

Reply View | 0 replies

imtringued a day ago

>Oh that sounds wonderful. So every small site that took the LE bait needs expensive help to stay online.

I agree with the terminology "bait", because the defaults advocated by letsencrypt are horrible. Look at this guide [0].

They strongly push you towards the HTTP-01 challenge which is the one that requires the most amount of infrastructure (http webserver + certbot) and is the hardest to setup. The best challenge type in that list is TLS-ALPN-01 which they dissuade you from! "This challenge is not suitable for most people."

And yet when you look at the ACME Client for JVM frameworks like Micronaut [1], the default is TLS and its the simplest to set up (no DNS access or external webserver). Crazy.

[0] https://letsencrypt.org/docs/challenge-types/

[1] https://micronaut-projects.github.io/micronaut-acme/5.5.0/gu...

Reply View 1 reply

chrismorgan a day ago

> the defaults advocated by letsencrypt are horrible
You’re completely misinterpreting the linked document. See what it says at the start:
> Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more about them. If you’re unsure, go with your client’s defaults or with HTTP-01.
This is absolutely the correct advice. For Micronaut, this will guide you to using TLS-ALPN-01, which is better than HTTP-01 if the software supports it. But for a user who doesn’t know what’s what, HTTP-01 is both the easiest and the most reliable, because, as they say, “It works with off-the-shelf web servers.” Typical web servers which don’t know about ACME themselves can be told “serve the contents of such-and-such a directory at /.well-known/acme-challenge/” which is enough to facilitate HTTP-01 through another client; but they don’t give you the TLS handshake control required to facilitate TLS-ALPN-01.

Reply View | 0 replies