New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's Encrypt Announcing Six Day and IP Address Certificate Options in 2025
Basically, Let's encrypt is working on short-lived certificates(aka 6 days cert) but validation will be restricted to the http-01 and tls-alpn-01.
And additional IP Address certificate support on short-lived certificates
Comments
IP address certificate seems cool.
Ye, i wish they plan to support this on longer live certificate too
I with they finally offered S/MIME for eMail.
They should make IP address certificate 90 days like zerossl
what makes letsencrypt to provide 90 days for domain, while other commercial providers offer same for 1 year? Even letsencrypt presents for so many years, still enterprises uses commercial one, that too pay extra ordinary payments. Was there tons of differences exists between commercial vs letsencrypt besides browser which does not show not trusted error?
I think they meant that http/tls-alpn only available methods limitation is related to IP address certificates, not short-lived ones in general.
Yep, i meant for IP address cert but i cant edit now
Afaik the different is the insurance you get when buying a SSL cert
The Battle Between Browsers and Traditional CAs...
I'm not sure about 6 days, unless you can renew them daily. If you're away for a long weekend and something goes wrong, you may not get the notification that renewal failed before you have a chance to fix it.
The problem with LE certificates is that if it's automated, most of the time you don't notice the renewal failing because the output is just dumped in a log file that you never check because a successful renewal fills it with very chatty output, and usually it doesn't fail. So, I rely on something like hetrix reminding me that the domain only has a couple of weeks left, meaning the renewal at 60 days didn't happen for some reason.
I'd prefer an option of maybe 2 weeks, with maybe renewal every 5 days, so you'd have a week and two weekends of safety margin to notice and deal with any renewal issues.
LE emails you if your renewal is due soon, theoretically all you should do is configure your automated renewal system to renew before that reminder occurs so you'll know if it failed.
But also, your renewal really should never fail...
Hm, rationale behind 6-day cert? IP cert will contribute to malware, for sure.
No official for why 6 days but They said Shorter Lifetimes Are Good for Security.
@TERBITFILM instant happy
This.
IMO, even their default lifetime of 90 days is unnecessarily short, but six days...
IMO again, but this looks like a kind of obsession - to have something on your server being updated this frequently.
I would also like to have free IP certs, but without having to "worry in the background" about whether that renewal bot did its job without any issues.
The time frame is too tight - I can easily imagine several days without internet access. More without proper admin tools - e.g. phone only.
It’s not very complicated - it’s effectively impossible to actually revoke certificates, and Let’s Encrypt wants to stop pretending it is, so the alternative is short lived certs renews automatically - when they’re compromised they just die quickly rather than being revoked.
6 days or 90 days, Both seem short in general
I feel 6 days may serve some use cases where one needs the cert for some intermittent testing and then forget about it.
If someone wants a longer lived cert ensuring it is on auto renew and monitored like @ralf suggested would check all boxes.
I know even with yearly or 3 year term certs organization or individuals end up missing thr renewal due to an overly long period of contacts becoming stale or something unexpected happening or someone leaves org.
Short terms like 3 months is a decent number to keep things fresh
Everyone has a different need and use case guess.
With ip address what could be the real usecase... domains are super cheap... but maybe that could be needed for a one off use...
But seems to open floodgates for spreading malicious content in the realm of being secure and trapping gullible folks.
6 days cert, so autorenew will be every 3 days to have another 3 days as backup?
auto renew will be every 2 days, 2 days as backup and another 2 days as backup of backup
Certs for IPs will be a great for a variety of use cases when putting them behind a domain just for a cert is really not justified. Something like exposing internal tools and API's which are not user facing.
So, I never used the official certbot so I'm not sure how it's handled there but with acme-tiny, I made a script to backup the current cert, renew, and check the exit code to see if it was successful or not. If it wasn't successful, it will restore the backup it took and will email me saying it failed. If it was successful, it will just reload/restart the proper process so it picks up the new cert. Since I renew monthly and the cert is good for 90 days, I can easily look into it the next month if it fails again. Though it's not often it fails and if it did, it has always gone through fine the following month. If it's completely automated with your process, like you don't even schedule it yourself, you could always make a script to grab the cert your server presents, look at the expiration, and email yourself based off that. I'dunno, just trying to think what I would do if I had no control over it.
With a 6 day cert (what the announcement says), I would probably make it try renewing every 2 days. Though it would be annoying if it fails while on vacation/etc. since it's such a short period (sometimes I am away from internet access for that long or longer). Then it would be such a short period to troubleshoot/manually fix but I'd expect it will be like it currently is where it failed because you tried at the perfect moment and the next renewal attempt will work just fine.
So instead of a domain, you can use IP address for SSL? (for a week). this looks cool for short projects n such
I think you can auto renew your certificate?
This may be a dumb question but for NAT vps would the provider have to do the IP cert or can a user do it for their 10/20 ports?
It would not be possible as it would mean only 1 cert possible for ip when its shared by so many other ppl.
But with typical NAT vps, usually the providers have some type of HA or proxy setup which allows one to redirect the allotted ports to a domain, right?
The challenges they support are http and tls, which respectively require access to port 80 or 443 so you wouldn't be able to as a NAT user if you dont have those ports. Some providers have haproxy and such which will push connections for your domain back through to your vm, but unless they're stupid enough to allow you to enter the IP in that field you won't get 80/443 for the IP itself to come through and let you do the challenges.
Dns challenge is an option.
I think DNS challenge is not available for IP cert
Not for IPs: