Maximum (and minimum) certificate lifetimes?


#134

There are other free certificates for one year, and payment by 15$, really someone will install one 90 days to save 15$?

It makes no sense at all. The only purpose of these certificates is for testing.


#135

Yes, Google is probably just using them for testing… They have been using 90 day certs for quite some time now, you can see it when looking at the certificate details for google.com or here: https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=74.125.239.137&hideResults=on


#136

This tutorial by @renchap solved all of my “renewal” problems. It doesn’t even need to stop the server to pass the challenge. Honestly, renewing certs every 60 days might be great; it forces us to automate everything and eliminate any human error that could screw everything.
(that, of course, if the automation process is done correctly)


#137

Create a certificate system requires a lot of responsibility. If certificates of more than 90 days are unsafe, should not exist in any other case, if wildcard certificates are unsafe should not exist at all.

There is not a security problem, is a problem of responsibility. They want to do something that requires a lot of responsibility not assume at all.

Security is not a reason, it’s an excuse.


#138

That’s really a good solution, a second root. I’m actually using that in my integration as well. :+1:


#139

yup @renchap guide at Howto: easy cert generation and renewal with nginx :slight_smile:


#140

I presume you in a way shared an opinion with this extremely vocal “90 days certs are bad” minority. And basically said that Google engineers are out of their minds… And if you (and by you I mean everyone in the aforementioned minority group) don’t like LE practices, you are very much welcome to use services of any other CA in the field. Freedom of choice, right? I though it’s very much clear at this point, that longer certificates from LE are a no go, and these complaints are not helping anyone, they’re just adding to the universe’s entropy.


#141

This discussion is the most active thread in this forum and the “minority” (as some “fanboys” call those who are against this policy) is the one that has voiced the real-world concerns of the 90-days limit. I have yet to a see a compelling argument on why the limit is in place, other than, “Google does it, so we must as well”, or “it’s good for you, trust us”. This is the most ridiculous argument which demonstrates the lack of real-world applications this project will have. Unless of-course Let’s encrypt is aimed at Google-sized businesses, which makes perfect sense. Anyway as an IIS server admin, who is snubbed in the n-th degree by this whole project, I’m dissapointed by the lack of understanding on why people need a choice on the certificate validity length. The single minded “automation” only, no manual process is also both annoying and dangerous. I just wish Let’s encrypt had informed us fully on their schemes before getting our hopes up. Anyway, I wish all the best to any poor soul wishing to commit to this project…


#142

It’s probably worth noting that Google wrote a majority of their software - they’re doing it because they can ensure it works. That doesn’t apply to most of us.


#143

I, and most of the dissenters, do not think 90 day cert lifetimes are necessarily bad. But our issue is with only issuing 90 day lifetime certs when there is clearly issues that make them impractical for many environments and applications.

If there where some significant technical limitation that prevented or made issuing 1 year lifetime certificates impractical that would be different. But the Let’s Encrypt policy is being based on misguided control freak and behavioral driving philosophy. Beginning to feel like a government program. Might fit in well, philosophically, in China and NK.


#145

Well, thats a layer 8 problem.

Well, nobody banned or censored you… I suppose that’s not very North Korean.

I don’t see any point in discussing this more, there is clear reasons why the working group as decided to set the 90 days lifetime on the certificate, and I can see you disagree but I can only observe that nothing is new enough to

That’s a poor excuse for bad practice in my opinion. Component of a system can fail, and that just a fact of life, but human intervention are error prone and should be avoided whenever possible.

I don’t see the issue here, your grandmother server must have cronjob… just as any other server must have?


#146

I find it more than a little interesting that nobody seems to have actually addressed the real-world concerns raised in this thread, and that people just continue to complain about a “vocal minority” and make ad hominems and the like, while completely ignoring the reasons that that “vocal minority” exists to begin with.

Can we keep this thread constructive and on-point, please?


#147

This does not actually really address any of the concerns in this thread…


#148

If we check the artikel from josh (https://letsencrypt.org/2015/11/09/why-90-days.html)
There is an claim that 29% of “TLS transactions use 90 day certificates”.

  1. There is no source linked for this number.
  2. There is no relation between relevance and count (One page with 10 banner js/css/pics) will overrate the banner connection.
  3. Also this number mean we miss more than 50% of the transactions. So the question is not how for lifetime X but how many % for less than X to see how many transactions are covered.

Second assumption "They limit damage from key compromise and mis-issuance."
a) Automation mean that not only cert is on the server but also keymaterial for cert request/generation.
b) As long as not every new certificate is notified via mail, you need to check CT server to see if there is not always an second cert for your domain.


#149

Even if they did, forum policy is NOT the subject. The subject here is certificate lifetime policy.


#150

interesting comments at https://twitter.com/letsencrypt/status/663766137709031424


#151

That was pretty clever and quite funny. Made me chuckle even. Have seen that with Amerika before but this is the first time I’ve seen it with artikle.


#152

Unfortunately, the blog post is predictably utterly dismissive. People in this thread have given plenty of reasons why 90 days is unacceptably short. I won’t be using Let’s Encrypt. Well done LE, you have made your primary goal less achievable by COMPLETELY IGNORING user feedback.


#153

So you’re saying it’s so easy that all I have to do is change my whole website over to be hosted on nginx or Apache?


#154

if you’re referring to twitter link, i am saying it’s interesting to see the for and against arguments for 90 day expiry there as well as on the forums