New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
:facepalm:
Face palm also.
If you have this fully automated, I don't understand why you wouldn't set this up for weekly because it gives you more chances to catch a failed re-cert job.
The official certbot won't attempt to renew a certificate until 30 days before expiry, so you're kind of pushed into at least a weekly schedule for safety using that. You can force a re-cert, but it's then limited by the API to 5 per week. So, even if you're using a non-standard tool that doesn't renew based on expiry date, running weekly will be totally fine.
I'm assuming they'll increase the API limit to these up to allowing daily. Every 2 days is really cutting it too fine for me.
Consider Black Friday. Just imagine last successful renew Monday 7pm. Wednesday 7pm renewal fails. Out of office Thursday + Friday so don't notice. Friday 7pm renewal fails. Still out of office. Sunday 7pm renewal fails. Best case scenario - you're back at work Cyber Monday, notice it first thing and fix it by 8am, but your site has still had 11 hours downtime - potentially also missing the time when a lot of people are randomly browsing for things to spend money on.
If you have a dedicated IT support team that check in on the machines every day, even holidays, then maybe it's workable. Otherwise, I think 6 days is too risky, but definitely if you're not renewing every day.
Mentally strong people work through Black Friday, but remotely.
Truly mentally strong people make sure they get the time off they are contractually entitled to.
So these are options or in place upgrade for current system?
They said that it will be an option when creating a new certificate. I guess there's no point having a migration option as you could just delete the old cert and recreate to get the 6 day thing.
It is LE's way of "encouraging" automation.
I also thought that the group of organizations that had widely accepted root certificates had said no more certificates for IP addresses.. Has DoH helped them change their minds?
What is the point of short lived certificates? Can't think of any reason why one would use them.
Google Trust Services are offering IP certs for 10 days.
Once GTS offers S/Mime LE will follow shortly.
According to Google's plan that should roughly happen in a few months or at least this year. They are already running an early alpha for internal users and selected customers of google cloud.
6 days are more than enough for IP certs. You can simply spin up multiple short lived cloud servers or even use github (and the likes) runners to obtain certs for IPs you don't own.
DNS based challenge would also allow you to simply obtain certs for private addresses.
Forces admins to implement automated renewals.. When we were able to get two and three year certificates we would just install them manually (especially before PowerShell) because it was half an hour every three years..
Had (shut down less than a month ago) one system that automated renewals failed so every 85 days or so someone would renew it, any more than two or three it becomes a PITA and this does not scale for growth.
Automation prevents sites that stop working from expired certificates, especially when Chrome makes bypassing the error difficult.
Yeah, I personally would want like every two weeks at the shortest. mostly because I can see hardware/internet issues or things like vacations/emergencies possibly preventing me for getting online to manually fix if issues happen. Like, I don't see a situation where I can't get online within two weeks like I can with less than a week. I might opt in to the 6 day thing on a test server just to see how it goes, limits, etc. but I won't be converting all over until I'm forced.
If you are doing it yourself, at the very minimum, you need to be using external monitors that will tell you about events like this.
Why would you not be using DNS in the first place for your store, instead you are just directing people to your store's IP address?
I do. However, unless you have IT support working over the holidays, they aren't going to get read until after the holidays.
I know the solution is to employ IT support for over the holidays, and I also know that that doesn't happen in a lot of smaller companies.
What now? What give you the impression I'd be telling people to go to my (BTW hypothetical) store's IP address rather than DNS? Not only didn't I say anything of the sort, that wouldn't even solve the problem of having an expired certificate anyway.
That is what this thread is about...?
Certificates for IP addresses having a lifetime of 6 days.
If you have certificates tied to the FQDN, nothing changes.
The announcement is actually about 2 separate features.
Agreed. From the article: "Once IP address support is an option for you, requesting an IP address in a certificate will automatically select a short-lived certificate profile."
Nothing changes automatically, but you can have certs with a lifetime of 6 days for FQDN as well:
"Once short-lived certificates are an option for you, you’ll need to use an ACME client that supports ACME certificate profiles and select the short-lived certificate profile (the name of which will be published at a later date)."
I was arguing that shorter than 90 days is good, but 6 days is too short for most people. Maybe it wasn't obvious I was talking about FQDN because I'd just focused on the part of the article I cared about!
Your Black Friday example gave that impression.
See above :facepalm:. You don't know how this works.
Why? How does giving a hypothetical example that shows that 6 days expiry time for a certificate in any way suggest I was suggesting using IP addresses? Or do you think DNS just stops working over Black Friday?
See TFA :facepalm: You don't know how this works.
https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/
Statement 1:
This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”).
Statement 2:
We will also add support for IP addresses in addition to domain names.
Nowhere in the article does it say that six-day lifetimes are only available for certs for IP addresses. It only says that if you use certs for IP addresses you can only use six-day certficates.
A implies B does not mean B implies A.
From the link:
Getting back to the confusion:
Regardless, you just made the argument why 6 day with customer facing DNS certificates is stupid, so now really confused what your point was when nobody else was talking 6 day limits with DNS certificates.
I know you're really good at doubling down on not admitting when you're wrong so you can continue trying to win the argument, but for once, please just read TFA properly rather than scanning for a sentence that you think agrees with your point.
IN THE SECTION THAT IS TALKING ABOUT IP CERTS.
Of course DNS cannot be involved in verifying IP address challenges because being able to add a DNS entry somewhere doesn't prove ownership of an IP address and DNS PTR records don't support arbitrary data.
What exactly were you hoping to prove by quoting that paragraph out of context?
The article talks about both as separate things. The OP talks about both as separate things.
By post 6 in this thread somebody else had talked about the length of certificate lifetimes in general. I was responding to that comment, not that it even matters. The point I was making was about the problems that lots of people will face with 6-day lifetimes. Not once did I mention IP address certs. Not that it would have mattered even if I had, because all the points I made would still stand, but I didn't.
>
There's no argument. You said something that didn't make sense to me and another person and you had to clarify what you were talking about. Not sure why you're going all Karen about this.
Now you're confusing. You hijacked someone else's post saying they can use DNS verification for private address certs. Stop fucking linking to the docs and quote where this is possible, because you just said what my point was and really doubling down on being confusing.
Cool. Nobody is arguing otherwise, we were just confused by your point. You clarified it. There's really no need for further posts.
6 day certificates? Imagine the renewal emails 👀
Thanks for your point of view.
What are you talking about?