Experimenting with Lets Encrypt

My domain is: tener4assembly.com
The operating system my web server runs on is (include version): Linux in the past now am using OpenWRT and moving to pfSense
I can login to a root shell on my machine (yes or no, or I don't know): Yes

I am interested to understand a few things:

I began doing some testing with staging and thought I was ready to use production and ran my certificates. I now need to it over and am worried about rate limiting and how long I must wait to redo it?

I also am curious if there is a way for me to reset or empty my history for my domain at some point as I am ready to really do things for real at this point.

Thanks!

Stuart

2 Likes

Welcome to the Let's Encrypt Community, Stuart :slightly_smiling_face:

For production, you currently only have two certificates that cover tener4assembly.com and *.tener4assembly.com within the last week, so not much to worry about there. It might look like there were four certificates, but they're in pairs: leaf certificate then precertificate. For staging, I'm pretty sure you're fine.


There isn't a way to "reset your history", just as there is no way to "unuse" the resources you've used. If your certificates' private keys haven't been compromised, there's nothing you really need to do.

3 Likes

If you're using the production environment, you're using real resources from Let's Encrypt. The more certificates issued, the more resources are required, the more money is required. So no, for the production environment there is no way to "reset" or "empty" anything: once a certificate has been issued, its resources have been spend.

Please use the staging environment for all testing and if you're satisfied only then switch to production.

Please see the rate limit documentation for all the specifications for all the different forms of rate limits.

3 Likes

Indeed I would agree that one cannot unuse CPU processing time, memory accesses, or electricity, but if a database is using resources by containing (and ostensibly backing up) data I no longer need (old certificates), why would their erasure or deletion be anything other than "un-using" the space in the database or the resources to back them up?

If these are certificates I control and I am honestly stating some of this data I no longer use, why am I not the arbiter of my own data and able to authorize the destruction of data no longer needed?

Let me just say, I appreciate what Let's Encrypt is doing and am not trying to be argumentative, just curious why releasing resources I no longer need would be problematic?

Thanks!

2 Likes

This is because the CA/B Forum Baseline Requirements, which apply to all publicly trusted certificate authorities, require us to keep extensive audit records for all certificates we've issued.

If a certificate is revoked, we no longer have to sign new OCSP responses for it, but that's about the only resource savings available to us for certificates that we've already issued.

4 Likes

And those requirements impel a certificate authority to never delete them, after any period of time or even when they are no longer need as determined by the creator of the certificates?

Is an OCSP reply with status revoked allowed to be 90 days old then? I was under the impression that revoking only adds an extra OCSP response: the initial new OCSP response at revocation and also all the ones after that: same response lifetime but now with status revoked.

6 Likes

That's pretty much correct, I'm afraid. We are allowed to delete data seven years after the certificate's validity ends: https://github.com/cabforum/servercert/blob/main/docs/BR.md#552-retention-period-for-archive

This can be cheaper archive-only storage for the bulk of the 7 years. But since our certificates are valid for just 90 days, it saves us very little (and would add a whole new process to compose and maintain) to move a few certificates to archival just a little bit early.

4 Likes

Oops, you're right! So we're on the hook either way.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.