I am trying to build an application for using Let's Encrypt. As per my understanding, there is no explicit renew-order API. I have to renew a certificate using the new-order API. My doubt is that, if I renew my certificate 30 days before the expiry as per the recommendation, then the renewed certificate will start from today to 90 days in the future. So, the validity period of my certificate would be -
90 - 30 + 90 = 150 days instead of 180 days (90+90).
Is there any way to solve this?
1 Like
No.
Renewing is just the term coined for getting a brand new certificate for just the same hostnames. And the term is used in determining the duplicate certificates rate limit. But technically, "renewing" does not exist.
Why would 90-30+90 be an issue?
2 Likes
If I am offering it as a service, then it would be a problem right?
1 Like
Depends what you offer/claim.
2 Likes
For example, I am trying to offer a platform as a website for the Let's Encrypt flow and work as a certificate manager to my customers. What would be your suggestion about how I should deal with renewing of certificate?
Just renew them in time (i.e., 30 days before expiry) for your customers? Your customers shouldn't have to deal with certificates, just that they're there and securing the platform.
I don't see how 150 or 180 days is important in this.
5 Likes
If you are handling their private keys (account or certificate), that would be a breach of the Let's Encrypt subscriber agreement. Please don't try to develop yet another website client that will result in many revoked certificates. This idea has been attempted and failed many times before.
4 Likes
Good to get clarification about this: I thought OP was developing some kind of website hosting service which includes a certificate.
4 Likes
But there are some websites like appviewx which provide Let's Encrypt certificates right? Is their implementation different from this? Do they function as a web hosting service also?
1 Like
Load balancers, maybe?
We usually expect private keys not to be moved, touched, or even viewed once generated.
(there are use cases where that might be warranted, but they're not common and they require EXTREME CAUTION)
3 Likes
If you're operating as a true hosting provider where the certificates you acquire for your customers are only for domain names pointed at infrastructure you control that serves content and/or services for those domain names, you wouldn't be violating the subscriber agreement. If, on the other hand, you're acquiring certificates for domain names you're not hosting per the definition in the previous sentence, you would be violating the subscriber agreement since you would have no reason to have access to your customers' private keys.
5 Likes
Along with above comments, when providing a service using Let's Encrypt certs please review at least this
And review the docs index for other useful info
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.