| ▲ | jaas 2 days ago |
| > That explains why one of my IoT vendors is using an expired certificate. I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago. |
|
| ▲ | mannyv 2 days ago | parent | next [-] |
| "nobody should be renewing their certificate within 90 minutes of expiration" You obviously haven't worked with hardware guys. "I mean, what's the point of those last 30 days if you need to renew it 30 days before expiration? Why not just renew it before it expires? If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?" |
| |
| ▲ | ozim 2 days ago | parent | next [-] | | If they make 7 days grace period then expiration date will be a lie and of course every one will use grace period like it would be normal thing ;) | | | |
| ▲ | selcuka 2 days ago | parent | prev [-] | | > If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it? Many countries won't let you enter if your passport expires less than 6 months after your planned departure date. Basically the effective validity of a passport is 0.5 years less than the period you pay for. |
|
|
| ▲ | LtWorf 2 days ago | parent | prev [-] |
| > weeks ago How long do you think a certificate lives? |
| |
| ▲ | jaas 2 days ago | parent | next [-] | | Mostly 90 days, and we recommend renewing at 60 days for 90 day certs. That gives more than four weeks of leeway. If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days, giving you 3 days for a successful renewal. A 90 minute outage, even if it was a full outage, would not interfere with a successful renewal. | | |
| ▲ | selcuka 2 days ago | parent | next [-] | | > If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days Apparently certificates are becoming OCSP-only with a TTL. | |
| ▲ | nottorp 2 days ago | parent | prev [-] | | How's the push for 48 hour certificates going? |
| |
| ▲ | bebop 2 days ago | parent | prev | next [-] | | 90 days moving to 45 but you can and should renew earlier than that. Automating this process means that you should be request a new certificates roughly 60 days (or 30 soon) after the issuance of the previous certificate. That way you would have plenty of time to deal with renewal issues. The process for renewal should have back off and retries built in. This prevents a situation where a down time for the issuer means that your production environments are non-functional. | |
| ▲ | Biganon 2 days ago | parent | prev [-] | | They work at letsencrypt, I'm pretty sure they know. |
|
