Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Let's Encrypt Announcing Six Day and IP Address Certificate Options in 2025
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Let's Encrypt Announcing Six Day and IP Address Certificate Options in 2025

BlembimBlembim Member

Basically, Let's encrypt is working on short-lived certificates(aka 6 days cert) but validation will be restricted to the http-01 and tls-alpn-01.

And additional IP Address certificate support on short-lived certificates

https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/

Thanked by 3Void 0ka martheen
«1

Comments

  • MikeAMikeA Member, Host Rep

    IP address certificate seems cool.

  • BlembimBlembim Member
    edited January 18

    @MikeA said:
    IP address certificate seems cool.

    Ye, i wish they plan to support this on longer live certificate too

  • mrTommrTom Member

    I with they finally offered S/MIME for eMail.

  • VoidVoid Member

    They should make IP address certificate 90 days like zerossl

  • gksgks Member

    what makes letsencrypt to provide 90 days for domain, while other commercial providers offer same for 1 year? Even letsencrypt presents for so many years, still enterprises uses commercial one, that too pay extra ordinary payments. Was there tons of differences exists between commercial vs letsencrypt besides browser which does not show not trusted error?

  • tentortentor Member, Host Rep

    @Blembim said: validation will be restricted to the http-01 and tls-alpn-01

    I think they meant that http/tls-alpn only available methods limitation is related to IP address certificates, not short-lived ones in general.

    Thanked by 1Blembim
  • @tentor said:

    @Blembim said: validation will be restricted to the http-01 and tls-alpn-01

    I think they meant that http/tls-alpn only available methods limitation is related to IP address certificates, not short-lived ones in general.

    Yep, i meant for IP address cert but i cant edit now :#

    Thanked by 1admax
  • @gks said:
    what makes letsencrypt to provide 90 days for domain, while other commercial providers offer same for 1 year? Even letsencrypt presents for so many years, still enterprises uses commercial one, that too pay extra ordinary payments. Was there tons of differences exists between commercial vs letsencrypt besides browser which does not show not trusted error?

    Afaik the different is the insurance you get when buying a SSL cert

    Thanked by 2gks Blembim
  • admaxadmax Member, Megathread Squad

    The Battle Between Browsers and Traditional CAs...

    Thanked by 1Blembim
  • ralfralf Member

    I'm not sure about 6 days, unless you can renew them daily. If you're away for a long weekend and something goes wrong, you may not get the notification that renewal failed before you have a chance to fix it.

    The problem with LE certificates is that if it's automated, most of the time you don't notice the renewal failing because the output is just dumped in a log file that you never check because a successful renewal fills it with very chatty output, and usually it doesn't fail. So, I rely on something like hetrix reminding me that the domain only has a couple of weeks left, meaning the renewal at 60 days didn't happen for some reason.

    I'd prefer an option of maybe 2 weeks, with maybe renewal every 5 days, so you'd have a week and two weekends of safety margin to notice and deal with any renewal issues.

  • ehhthingehhthing Member
    edited January 18

    @ralf said:
    I'm not sure about 6 days, unless you can renew them daily. If you're away for a long weekend and something goes wrong, you may not get the notification that renewal failed before you have a chance to fix it.

    The problem with LE certificates is that if it's automated, most of the time you don't notice the renewal failing because the output is just dumped in a log file that you never check because a successful renewal fills it with very chatty output, and usually it doesn't fail. So, I rely on something like hetrix reminding me that the domain only has a couple of weeks left, meaning the renewal at 60 days didn't happen for some reason.

    I'd prefer an option of maybe 2 weeks, with maybe renewal every 5 days, so you'd have a week and two weekends of safety margin to notice and deal with any renewal issues.

    LE emails you if your renewal is due soon, theoretically all you should do is configure your automated renewal system to renew before that reminder occurs so you'll know if it failed.

    But also, your renewal really should never fail...

  • LeviLevi Member

    Hm, rationale behind 6-day cert? IP cert will contribute to malware, for sure.

  • @Levi said:
    Hm, rationale behind 6-day cert?

    No official for why 6 days but They said Shorter Lifetimes Are Good for Security. :#

  • @TERBITFILM instant happy

  • DataRecoveryDataRecovery Member
    edited January 18

    @Void said:
    They should make IP address certificate 90 days like zerossl

    @Blembim said:
    Ye, i wish they plan to support this on longer live certificate too

    @ralf said:
    I'm not sure about 6 days, unless you can renew them daily. If you're away for a long weekend and something goes wrong, you may not get the notification that renewal failed

    This.

    IMO, even their default lifetime of 90 days is unnecessarily short, but six days...

    IMO again, but this looks like a kind of obsession - to have something on your server being updated this frequently.
    I would also like to have free IP certs, but without having to "worry in the background" about whether that renewal bot did its job without any issues.

    The time frame is too tight - I can easily imagine several days without internet access. More without proper admin tools - e.g. phone only.

    Thanked by 1Void
  • It’s not very complicated - it’s effectively impossible to actually revoke certificates, and Let’s Encrypt wants to stop pretending it is, so the alternative is short lived certs renews automatically - when they’re compromised they just die quickly rather than being revoked.

  • plumbergplumberg Veteran, Megathread Squad

    6 days or 90 days, Both seem short in general

    I feel 6 days may serve some use cases where one needs the cert for some intermittent testing and then forget about it.

    If someone wants a longer lived cert ensuring it is on auto renew and monitored like @ralf suggested would check all boxes.

    I know even with yearly or 3 year term certs organization or individuals end up missing thr renewal due to an overly long period of contacts becoming stale or something unexpected happening or someone leaves org.

    Short terms like 3 months is a decent number to keep things fresh

    Everyone has a different need and use case guess.

    Thanked by 2admax ralf
  • plumbergplumberg Veteran, Megathread Squad

    With ip address what could be the real usecase... domains are super cheap... but maybe that could be needed for a one off use...

    But seems to open floodgates for spreading malicious content in the realm of being secure and trapping gullible folks.

    Thanked by 1admax
  • 6 days cert, so autorenew will be every 3 days to have another 3 days as backup?

  • VoidVoid Member

    @Hotmarer said:
    6 days cert, so autorenew will be every 3 days to have another 3 days as backup?

    auto renew will be every 2 days, 2 days as backup and another 2 days as backup of backup

    Thanked by 2Hotmarer yoursunny
  • Certs for IPs will be a great for a variety of use cases when putting them behind a domain just for a cert is really not justified. Something like exposing internal tools and API's which are not user facing.

    Thanked by 1Saragoldfarb
  • @ralf said:
    I'm not sure about 6 days, unless you can renew them daily. If you're away for a long weekend and something goes wrong, you may not get the notification that renewal failed before you have a chance to fix it.

    The problem with LE certificates is that if it's automated, most of the time you don't notice the renewal failing because the output is just dumped in a log file that you never check because a successful renewal fills it with very chatty output, and usually it doesn't fail. So, I rely on something like hetrix reminding me that the domain only has a couple of weeks left, meaning the renewal at 60 days didn't happen for some reason.

    I'd prefer an option of maybe 2 weeks, with maybe renewal every 5 days, so you'd have a week and two weekends of safety margin to notice and deal with any renewal issues.

    So, I never used the official certbot so I'm not sure how it's handled there but with acme-tiny, I made a script to backup the current cert, renew, and check the exit code to see if it was successful or not. If it wasn't successful, it will restore the backup it took and will email me saying it failed. If it was successful, it will just reload/restart the proper process so it picks up the new cert. Since I renew monthly and the cert is good for 90 days, I can easily look into it the next month if it fails again. Though it's not often it fails and if it did, it has always gone through fine the following month. If it's completely automated with your process, like you don't even schedule it yourself, you could always make a script to grab the cert your server presents, look at the expiration, and email yourself based off that. I'dunno, just trying to think what I would do if I had no control over it.

    With a 6 day cert (what the announcement says), I would probably make it try renewing every 2 days. Though it would be annoying if it fails while on vacation/etc. since it's such a short period (sometimes I am away from internet access for that long or longer). Then it would be such a short period to troubleshoot/manually fix but I'd expect it will be like it currently is where it failed because you tried at the perfect moment and the next renewal attempt will work just fine.

  • So instead of a domain, you can use IP address for SSL? (for a week). this looks cool for short projects n such

  • @Void said:
    They should make IP address certificate 90 days like zerossl

    I think you can auto renew your certificate?

  • This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

  • plumbergplumberg Veteran, Megathread Squad

    @wadhah said:
    This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

    It would not be possible as it would mean only 1 cert possible for ip when its shared by so many other ppl.

    But with typical NAT vps, usually the providers have some type of HA or proxy setup which allows one to redirect the allotted ports to a domain, right?

    Thanked by 1wadhah
  • ErisaErisa Member
    edited January 19

    @wadhah said:
    This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

    The challenges they support are http and tls, which respectively require access to port 80 or 443 so you wouldn't be able to as a NAT user if you dont have those ports. Some providers have haproxy and such which will push connections for your domain back through to your vm, but unless they're stupid enough to allow you to enter the IP in that field you won't get 80/443 for the IP itself to come through and let you do the challenges.

    Thanked by 3wadhah yoursunny nick_
  • LeviLevi Member

    @Erisa said:

    @wadhah said:
    This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

    The challenges they support are http and tls, which respectively require access to port 80 or 443 so you wouldn't be able to as a NAT user if you dont have those ports. Some providers have haproxy and such which will push connections for your domain back through to your vm, but unless they're stupid enough to allow you to enter the IP in that field you won't get 80/443 for the IP itself to come through and let you do the challenges.

    Dns challenge is an option.

  • @Levi said:

    @Erisa said:

    @wadhah said:
    This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

    The challenges they support are http and tls, which respectively require access to port 80 or 443 so you wouldn't be able to as a NAT user if you dont have those ports. Some providers have haproxy and such which will push connections for your domain back through to your vm, but unless they're stupid enough to allow you to enter the IP in that field you won't get 80/443 for the IP itself to come through and let you do the challenges.

    Dns challenge is an option.

    I think DNS challenge is not available for IP cert

  • ErisaErisa Member

    @Levi said:

    @Erisa said:

    @wadhah said:
    This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?

    The challenges they support are http and tls, which respectively require access to port 80 or 443 so you wouldn't be able to as a NAT user if you dont have those ports. Some providers have haproxy and such which will push connections for your domain back through to your vm, but unless they're stupid enough to allow you to enter the IP in that field you won't get 80/443 for the IP itself to come through and let you do the challenges.

    Dns challenge is an option.

    Not for IPs:

    Validation for IP addresses will work much the same as validation for domain names, though validation will be restricted to the http-01 and tls-alpn-01 challenge types.
    The dns-01 challenge type will not be available because the DNS is not involved in validating IP addresses. Additionally, there is no mechanism to check CAA records for IP addresses.

Sign In or Register to comment.