Best practices for when to get a new certificate

I’m using the acme-client ruby library and there’s no method for renewing a certificate. I assume this means that I can just request new certificates whenever the expiration date for the prior certificate is near.

My questions:

Should I be revoking the old certificates after getting new ones or will lets encrypt do that for me?

Is there anything stopping me from just requesting a new certificate whenever I want?

This seems too good to be true.

Thanks for reading. Any help is appreciated.

No, revoking is only necessary if the private key is compromised (or if you can assume it is or you don't know for certain if it isn't..).

No, Let's Encrypt won't revoke certificates automatically, especially if it isn't necessary in the first place :wink:

The rate limits will stop you if you request too much too fast :slight_smile:

Let's Encrypt is the exception to the rule "if it seems too good to be true, it probably is", because it actually really is true and it's very, very good :stuck_out_tongue:

3 Likes

Wow. Ok. Thanks so much!

Hi @jimmybaker,

[quote="jimmybaker, post:1, topic:36135"]
I assume this means that I can just request new certificates whenever the expiration date for the prior certificate is near.[/quote]

Yes, we've recommended 30 days prior to expiry so that users have a chance of noticing and taking action if something goes wrong. It's sad to see cases where people say "my certificate is expiring tomorrow!" and experience such a sense of urgency about fixing the renewal process.

Revocation is only recommended if there's a reason to believe that the old certificate is inaccurate, or that its private keys have been compromised. You don't need to revoke old certificates when creating a new certificate. Certificates can have overlapping validity and coverage, which can be a good thing in many situations.

2 Likes

Ok last question. Is there a limit to the number of domains that I can verify with a single server private key registration? My app is multi-tenant and so I have no idea how many domains my customers will want to add. Should I be partitioning server keys for only N amounts of domains?

I wasn’t sure if you meant ACME account keys or the private keys for certificates, and also whether these are subdomains of your domains or not.

I mean acme account key. I registered one acme account key that I use when talking with the api. I assume I can use that key to validate domains that my customers say they want to use with my service (ie. myservice.customers-domain.com)

I just didn’t know if there was a limit to the number of domains/certificates that I can get per-acme-account-key.

The short answer is that there’s no limit. The longer answer is that there’s mostly no limit. :stuck_out_tongue_winking_eye:

https://letsencrypt.org/docs/rate-limits/

There’s no limit of “number of domains per account” or “number of certificates per account”.

You could run into the “overall requests per second” limit (regardless of how many accounts you have).

You could run into the “300 pending authorizations per account” limit. Normally, you have zero pending authorizations, and you only have one per hostname momentarily while issuing a certificate. But if you try to issue, say, 4 certificates, each for 100 hostnames, simultaneously, you could hit the limit. Or if you issue many certificates and the client occasionally crashes without cleaning up after itself, slowly piling up pending authorizations faster than they expire.

You may want to read the integration guide:

https://letsencrypt.org/docs/integration-guide/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.