I find it more than a little interesting that nobody seems to have actually addressed the real-world concerns raised in this thread, and that people just continue to complain about a “vocal minority” and make ad hominems and the like, while completely ignoring the reasons that that “vocal minority” exists to begin with.
Can we keep this thread constructive and on-point, please?
This does not actually really address any of the concerns in this thread...
If we check the artikel from josh (https://letsencrypt.org/2015/11/09/why-90-days.html)
There is an claim that 29% of “TLS transactions use 90 day certificates”.
Second assumption "They limit damage from key compromise and mis-issuance."
a) Automation mean that not only cert is on the server but also keymaterial for cert request/generation.
b) As long as not every new certificate is notified via mail, you need to check CT server to see if there is not always an second cert for your domain.
Even if they did, forum policy is NOT the subject. The subject here is certificate lifetime policy.
interesting comments at https://twitter.com/letsencrypt/status/663766137709031424
That was pretty clever and quite funny. Made me chuckle even. Have seen that with Amerika before but this is the first time I've seen it with artikle.
Unfortunately, the blog post is predictably utterly dismissive. People in this thread have given plenty of reasons why 90 days is unacceptably short. I won’t be using Let’s Encrypt. Well done LE, you have made your primary goal less achievable by COMPLETELY IGNORING user feedback.
So you’re saying it’s so easy that all I have to do is change my whole website over to be hosted on nginx or Apache?
if you’re referring to twitter link, i am saying it’s interesting to see the for and against arguments for 90 day expiry there as well as on the forums
No nginx or apache are only samples. It is possible to run letsencrypt with any server that use 509-Zertificates for SSL.
Like sendmail/postfix for the smtp protocol. With DVSNI you are not event limited to http protocol for authorization.
I think the phrase "It is polssible to run letsencrypt with any server… " may mssleading. Though it is possible to use LE issued certificates on them, LE does not have a client for that works to automate many/most of them. There for it is impractical to do ongoing 90 day renewal.
Just because the certs can be used does not mean there is a practical implementation for them.
It's not exactly hard, though - The certs all go to a specific place, especially if you're overwriting them, and I'd be surprised if an application doesn't allow you to specify the location of your certs. If not, you can symlink them, in most cases.
Honestly, if your current application environment is working, why don't you stick with it?
This is a simple cost/benefit consideration. If your current environment is working. Stick with it! If the benefit of using let's encrypt is justifying your costs then change.
Simple if you think about it!
That's rude.
Can you just ... go away? Or at least show some respect?
Some of us are trying to create useful things with Let's Encrypt, so we stay clued in on the topics to keep informed, but comments like yours are, frankly, a waste of my time and everyone else's who want to see only the parts that are constructive.
(Sorry to bring this up in the middle of an active thread, but I can't find a way to hide posts by selected users.)
That's the problem. It's not. But it could be if not for one single simple totally bogus policy. That's what dissenters in the community are trying to get across. But LE is completely dismissive and inflexible even though there is no hard requirement for this totally bogus policy.
Thanks for not resorting to personal attack there dude instead of making a case on point. Not !
I'm trying to do useful things with LE too. Just because what I'm trying to do is not viewed as useful to/by you does not make it any less valid.
If you're going to preach, don't throw stones in your glass cathedral.
Your decision process should still be the same. If LE works better than your current solution then use it. If it is more pain than it's worth then don't.
One mans "bugus policy" is another mans "security feature/requirement"! Why do you think google is using 90 day certificates?
Also: Did you read LE mission statement? About Let's Encrypt - Let's Encrypt
The key principles behind Let’s Encrypt are:
Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
[...]
Who gave you the right to argue with their principles? Ask for change and make your point: sure thing! Everything more is in my humble opinion only showing disrespect to all people who put a lot of time and effort into this project.
In my case: LE fits for some of my use cases and not for others. I am grateful for what LE is providing and will keep thinking about simplifying my "other cases".
BTW: To all developers and supporters of Let's Encrypt: THANK YOU GUYS AND GALS!
Guys, let’s not turn this thread into a flamewar. We’re all interested in LE, after all, that’s why we’re here, right?
Symlinks are a great way to shoehorn the certs into most applications - and they’re supported on all platforms I can think of right now. It’s not about changing your application environment up, the point of symlinks is that you make your application environment work with the new tools. To make LE easier to use, I created a /etc/nginx/letsencrypt with symlinks to my certs and a renew.sh for cron, becuase I like to keep all web-related stuff with my webserver config. Seems logical to me, but as others have said, use what works for you.
Now that that’s out of the way, I believe that the 90-day certs and 60-day renewal will work for my purposes at the moment. That’s not to say there aren’t situations where it won’t be suitable - Most people aren’t at liberty to write all their own software (like Google), and most developers can’t be expected to support certificate reloading in their applications - After all, their current system has worked fine for this long, it’d take a real push to convince most of them to change it, and they certainly won’t do it without a large portion of their userbase nagging them to, unless they’re already on the LE bandwagon.
I agree with the posts here saying that it seems like LE doesn’t care about this thread, though - they haven’t directly addressed any of the concerns, and the thread frankly seems to be snowballing right now. That said, there are a lot of concerns about this, and it’s going to take the LE team time to work up a response - not only from the PR perspective of defending their decisions, but also from the perspective of not wanting to disrespect the community by creating an uninformed or arrogant post.
And some of us don’t want to hear fanbois interjecting all the time about how we should shut up about our legitimate issues because they presumably never want anyone to say anything bad about LE.
Google is using 90 day certificates because they have the resources to get automated certificate renewal running and maintain it properly. Not everyone is Google.
What gives me the right to argue with their principles? A little thing called free speech. And I say that their principle of “Automatic” is downright stupid.