| ▲ | mcherm 11 hours ago |
| There is one little-discussed down side to ever shorter-lived certificates... |
|
| ▲ | dizhn 11 hours ago | parent | next [-] |
| Letsencrypt is not the only acme authority. ZeroSSL is the other popular one. There are others. |
| |
| ▲ | pseudalopex 4 hours ago | parent [-] | | ZeroSSL offered for free 3 single name certificates. The next plan was $180 yearly. Actalis offered unlimited single name certificates. Why are ZeroSSL more popular? Google offered unlimited certificates with multiple names and wild cards. But they required a GCP account seemingly. It would require to give Google personal information, a phone number, and automatic payment permission. And Google not disable your account because your spouse uploaded images for your child's doctor. All others I saw charged for each certificate. |
|
|
| ▲ | devrand 11 hours ago | parent | prev | next [-] |
| If you're using ACME to handle certificate rotation, can't you just configure multiple providers? |
| |
|
| ▲ | Analemma_ 11 hours ago | parent | prev [-] |
| Only if you’re reissuing right before expiration, which is a stupid thing to do. If you have a 47-day cert, best practice is to reissue on day 30, meaning LE would need to be down for more than two weeks before anything went wrong. If this outage breaks your system, that’s entirely on you, not Let’s Encrypt. |
| |
| ▲ | eqvinox 11 hours ago | parent | next [-] | | Short-lived = 6 days. Even if you reissue after 2 or 3 days, that's… not a lot of breathing room. | | |
| ▲ | striking 11 hours ago | parent | next [-] | | You have to opt in, and they are honest about the tradeoffs when discussing them: > Short-lived certificates are opt-in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime. We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well. https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail... | | |
| ▲ | eqvinox 11 hours ago | parent | next [-] | | That's not really an answer, especially with: > We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well. They're expressly trying to show that this is a viable approach. It's actually kinda good that this outage, whatever it is, is happening now, as it's giving them a chance to demonstrate (or not) that they can deliver. | |
| ▲ | nottorp 11 hours ago | parent | prev [-] | | > no plan to make them the default at this time At this time! Boil the frog slowly... | | |
| |
| ▲ | bakies 11 hours ago | parent | prev [-] | | 3-4 days is a ton of breathing room |
| |
| ▲ | rconti 11 hours ago | parent | prev | next [-] | | You're holding your 6-day cert wrong | | | |
| ▲ | jameshart 11 hours ago | parent | prev | next [-] | | Useful context: https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail... | |
| ▲ | gbear605 11 hours ago | parent | prev | next [-] | | Only as long as LE isn’t down for 17 days, then we’re in big trouble. | |
| ▲ | 11 hours ago | parent | prev [-] | | [deleted] |
|
