New lifespan is going to be 47 days instead of 90

Bad news, by 2029 max certificate lifespan will be reduced to 47 days instead of 90, I kinda liked the 90 days certificates.

Not sure why this would be bad news?

all 'renew 30 days before expiry' will new start to renew 47 day cert every 17 days?

"30 days" is not the Let's Encrypt recommendation, it's at 2/3rds of the cert lifetime.

I have no idea how many clients did that but looks like most client used fixed date for renewal and numberic flag to change it:
certbot was doing that about just before last version and we know how often we meet old version on here. and lego still does 30 days before expiry(if not overridden by ARI)/ acme.sh renews after 60 days (so this will sleep for 13 days after expiry

True. However, 2029 is a few years in the future, let's hope that by then people will have switched over to updated clients.

If not, we'll see the threads starting to open here with easy fixes

Renewing at 75% of elapsed lifetime is our current default in Certify The Web stuff, it's convenient because it works whether a cert lifetime is 90 days or 1 hour.

CertSage already flags to renew when:

time >= (validFrom + validTo * 2) / 3

Any ACME client implemented in such a way with adequately-frequent renewal checks should be prepared for almost any certificate length.

I wonder why they chose 47 and not 45. I hope it's a nod to the Hollywood joke of sneaking 47 references into movies and tv. An alumni from my college started doing that on Star Trek, and it spread like wildfire.

47 is a prime number.

The longest month has 31 days.
In order to cover 31 days with 2/3 lifespan, we get [31*3/2=46.5 rounded up to] 47 days.
[so that you won't ever have to renew twice in one single month]

Makes much more sense than a StarTrek/StarWars reference.

The math was actually 31 (longest month) + 15 (half month for renewal margin) + 1 (extra day for compliance margin). Basically the same, but the rounding was a bit earlier in the expression.

Let's Encrypt will likely offer 45 or 46 day certificates, I'd expect

FWIW, Here's an article about the StarTrek inside joke: Why Star Trek Is Obsessed With The Number 47

At some point, JJ Abrams learned about the inside joke, and started using it in all his productions too as a nod to StarTrek. It eventually made it's way into his StarTrek and then StarWars movies, and then it started to become an in-joke with StarWars writers too. A handful of other writers and directors are known to excessively use it as a tribute to the StarTrek joke.

I dunno, I'm more of a 3.14-day-certificate kinda guy.

This reminds me of the local authorities in the UK who keep reducing the road speed limits. It allows them to put up revenue generating speed cameras, but when challenged they always say it is to improve road safety. But if you follow that to it's logical conclusion, we will all be driving around in the safest cars the world has ever seen, often capable of speeds of 150mph or more, at 3mph with a man walking in front with a red flag!

Daily, no, hourly certificates are coming I tell you... And will it actually prevent any breeches (has anyone ever known a 48 day old certificate to be responsible for a breech)?

For WebPKI, hour-long certificates are a far stretch away, if ever, but 6-day certificates are already around the corner. (Not required, of course -- optional.)

Certificates aren't ever responsible for breaches. The point of short-lived certs is to lessen the reward of a successful breach, which, if the rest of the industry does their job right, should get more and more expensive. Thus inverting the cost-to-gain ratio, making attacks pointless. (Except perhaps for highly valuable targets from highly resourceful actors.)

The primary motivation for short certificate lifetimes is that Certificate Revocation is burdensome and inefficient. A revoked Certificate can appear to be valid for up to 10 days, depending on the browser and certificate details. Shortening the validity largely eliminates this issue.