- Many services that require SSL will not be webservers and almost all of these services require restarts to update their certificates. This is not acceptable. Frequent restarts of critical services will ruin those services.
- Smaller organisations running these services are particularly vulnerable as they tend to have smaller or non-existent technical staff that may not remember to update their certs and restart the services.
- The Let’s Encrypt team seems to be very about controlling the routines of their users/clients. There are established ways to do things - there are good reasons for certificates to be issued for periods of one year or longer, which is shown in the fact that everyone that currently issues certs does this.
That sounds like missing the point, to be honest. As @rakiru explained, your HTTPd is far from the only thing you’re going to be running that might require SSL. You might be running mail servers, an IRCd or IRC bouncer, any number of chat services, VPNs or other proxies, and so on - and practically none of these things can traditionally have their SSL certs updated without restarting the software and kicking all the clients, potentially missing critical mail or breaking the connection of people using your VPN.
It’s very easy to shove this problem off and ignore it, saying automate it as if that comes close to solving the issues caused by restarting critical services all the time, or by declaring it not our problem and stating that the software should adapt to the Let’s Encrypt model or certificate lifetimes, but realistically, neither of these things are going to help fix the problem and may, in fact, be a huge factor in people not using Let’s Encrypt entirely.
Let’s also not forget that many organisations that may end up using Let’s Encrypt will be small-to-medium-sized communities (like mine) with small technical staff - perhaps even totalling one person (again, like mine) - that simply stand zero chance of remembering to renew their certs. When you consider that you simply can’t feasibly automate everything, this can be a huge issue for those communities.
And really, if my Reddit session ID is important, my NickServ password is magnitudes more worthy of protection. You can’t just ignore other services because they aren’t HTTPds.
Additionally, and as other users above me have noted, the Let’s Encrypt team appears to be very into controlling the routine of its users. There are established ways of doing things that have been there for quite some time. I feel like we would have found better ways to do these things in the huge amount of time we’ve been doing them. CAs issue certificates for a year or more at a time, and while I’m not in a position to enumerate why they do this, I’m sure there are good reasons for doing so.
I remember reading at some point that people thought that the 90-day thing was a good idea because it will force people into a good routine but this sounds ludicrous to me. As a pretty forgetful person myself, it’s clear that you can’t learn to remember things better - If my certificate expires every 3 months instead of every 12 months, I’m just going to get annoyed and revert to semi-shady free cert sites because I don’t have to worry about it so much - the 90 day system wouldn’t make me remember to renew my certs more often, it would add stress as my certificates expire and all my services break down.
Apologies for the essay. I think I ended up rambling a bit too much but I hope I got my points across - I’ve been massively hyped about Let’s Encrypt since I heard about it a long time ago, but this 90-day thing makes it almost completely unusable for me, and I’m sure I’m not the only one.