Any rethinking the drop to 3 months for cert life?


#1

Just curious –

Has there been any thought to going back up towards 9 months for cert life span?

It seems like the reduction in admin time to shepherd these cert updates into place would be a welcome thing.

Thank you!
–doing some shepherding today


#2

What do you mean “back up”? The lifetime has always been 90 days. This has been discussed at great (indeed, tedious) length in the past, and seems highly unlikely to change, and especially unlikely to lengthen. The lifetime might reduce, though.


#3

What is this then, from the link,
found on this site,
that I linked above?,

Shorter authorization lifetimes
Estimated date: August 3.
Right now, when you complete a challenge, your account gets a validated authorization object that can be used for certificate issuance for 10 months. That’s much longer than necessary. We’re going to change the lifetime for new authorization objects to 90 days. Existing, validated authorization objects will keep their same lifetime.

Reducing cert from 3 months would be terrible,
as it already is difficult to manage for non-certbot users;
or for anyone that runs into an issue.


#4

It has nothing to do with cert lifetime, but with how long an authorization is valid to allow you to issue a cert.

If you’re using the system properly, the lifetime is irrelevant–it could be reduced to a week with very minimal impact on end users. If you’re doing things manually with any regularity, you aren’t using the system as it was designed and intended to be used.

Suggest you familiarize yourself with the lengthy and tedious discussion I mentioned above–I have trouble imagining that there are any points that haven’t already been made, and discussed ad nauseum. See:


#5

To provide additional context, an authorization is how you prove that you are allowed to generate a cert for a given name. When your client creates the DNS TXT records or hosts the /.well-known/acme-challenge/TOKEN file, it’s providing that proof. The authorization is then considered valid for a certain lifetime so if you request a new cert for the same name, you don’t have to prove ownership again during that lifetime. I believe that authorization lifetime is currently only 30 days.


#6

Yep, we’re planning on keeping certificate lifetime at 90 days. From your username, I’m guessing you’re using Windows, where there aren’t as many client options and automated renewal might not be as smooth. I’d be curious to hear what you’ve tried so far for automated renewals and what the pain points are. It might be valuable inspiration for the authors for Windows clients.


#7

@rmbolger - thank you!

@danb35 - you have answered two questions of mine and you always sound #cocksure of yourself and combative.   Please bypass my questions going forward.


@jsha -- The steps for #Windows are indeed much trickier.

I have documented many of the problems facing Windows users.
And I have a web page for this.

I will show you – but it is currently stuck in a renewal right now with @JuergenAuer helping a bit on it:

see:


#8

@jsha (the above mention did not display correctly)