1 week automation question


#1

Hello,

After working on creating my own personal workflow on renewing the issued certificates, I wonder if it acceptable if I were to automate the renewal operation at a short time interval of, let’s say, 1 week?

Thanks.


#2

To me it comes down to what you do on that weekly script …

I actually run a script on a daily basis, however it checks the current certificate to see how long it’s still valid for, and if less than 28 days, will try and renew cert (if more than 28 days left, it exits without doing anything further).

So running on a daily / weekly basis isn’t an issue at all ( as it’s mostly checking).

If for any reason the “renew” fails, then I have plenty more opportunities to renew the certificate before it expires ( and of course it will try and do so every day when less than 28 days to go, until it suceeds ).

Actually renewing the certificate and getting a new one every week strikes me as slightly pointless, adds extra server loads ( for LE) if everyone were to do it, and leaves you in danger of hitting rate limits. For example with current rate limits, and several subdomains on some of my domains ( with separate certs). I’d hit domain and server IP rates if I updated all certificates on a weekly basis.


#3

I should have no problems when it comes to rate limits. So can I assume that there is no policy by Let’s Encrypt that bans 1 week renewal process?


#4

As far as I’m aware there is no policy, no. I’ve no more official position in LE than you though, so need to wait for them to give a more official response.

I personally wouldn’t, as I stated above, I wouldn’t want to load LE servers up with renewals The certs are valid for 3 months, their guidelines suggest renewal after 2 months


#5

As Let’s Encrypt is in their beta phase, it’s not unusual for users to experiment ofcourse… That’s only natural…

But if I were Let’s Encrypt (and as serverco I’m no LE official or what so ever), and I would see a client acting in such behaviour, I would very much ask the user to cease such behaviour. Although not explicitly mentioned in the subscriber agreement, LE may just refuse to grant you your request for a certificate, without any reason (see 3.3).

If I were LE, I would certainly build in some kind of rate limit which would ban clients which would have this kind of behaviour, because of all the insane amount of stress/load on the infrastructure if everybody would do this.


#6

That’s why I want to know what the official policy on this issue. Is 2 months the hard rule here? I believe the public deserves to know what is the policy about this. 1 week isn’t really that long, especially when the rate limit is concerned.


#7

can I swap the question round. Why do you want to renew a certificate and get a new one every week ?


#8

Because it fits my use case. I am not using the issued certificate for serving HTTPS pages BTW.


#9

Are you happy to expand on your use case ? There may be a more optimal solution for you.


#10

I use it for certificate-based authentication. For what program, I will not say. My policy before Let’s Encyrpt comes about is to rotate the certificate (self-sign) every week.


#11

Hi it is really bad because it increase unnecessary the amount of certs that need to be signed for ocsp.
So pleas use an intervall of 85 days or to


#12

There’s no policy against it, but it’s slightly impolite to impose extra load unless there is a particular reason. Still, I can see some reasons that it might be useful - for instance, if you wanted to prepare for possible future short-lived certs (e.g. 7 days long), this might be a way to gain practical experience with rotating certs on a very frequent basis.

So: you won’t get banned for doing this, but if it becomes ubiquitous and starts to be a load problem we may wind up adding new rate limits.


#13

One Question for each cert that is valid you are required to sign the OCSP response each 4 days.

Begining with day 0. That mean for 90 day lifetime 23 signatures in 90 days for one certificate.
With one week currently this implies 286 signatures in 90 days.

Would it be possible to ad an lifetime shorter than 90 days in the csr ? For example 4 days ?
Than there would be 45 Signatures in the 90 days since each cert is once signed and once ocsp.


#14

Yep, we plan to explore that in the future! There’s no support in the CSR format for requesting durations, but I believe it was proposed and added for the next version of the ACME spec.


#15

OK if it is not possible in CSR it could be an optional parameter in the JSON part.