[Poll] Do we need longer cert validity times?


Continuing the discussion from Pros and cons of 90-day certificate lifetimes:
so in my opinion posting a poll in the somewhere in a 200+ posts discussion is plain messy I am starting this Poll Thread.

before you wildly click let’s remeber this:
creating a way to get longer cert times is not against creating shorter lifetimes, in fact I think that people should be able to request anything from a day to a year, depending what they need).

so let’s get to it:
Do we need longer cert validity times (as an option)?

  • Yes
  • I don’t care
  • No

0 voters

It's a Landslide

let me also add the results of this external poll:


Why ? that’s a different question as far as I can see ( or are you just worried that 65% of results so far disagree with your preference)


while not being the exact same question it is related and I just thought we should include it because I randomly found it while searching for my poll.

(well honestly, I am worried but even then if I would have found the other poll and it had “bad” results I think I would have still included it)


Considering that poll was posted in November, the difference could be interpreted as evidence that while people thought originally that longer certificate lifetimes would be necessary, experience has changed many of their minds.

Or alternatively, I suppose, that most of those wanting longer lifetimes have given up and left.


seems legit. personally maybe some have given up because the way automation is done literally makes manual issuance way too difficult. if it would be easier it could be done every 90 days but the way it is now is not very promising and I read of ppl who said that they wont use LE because they dont wanna have software that messes arund with the certs on their server.


jmorahan, I agree. Late last year I originally thought the LE team’s push for automation was a bit over-zealous and that 90 days was way too short, but it’s become pretty obvious that for the vast majority of situations, 90 days is not a problem at all.

Almost every complaint about or restriction imposed by 90 days certs has either been resolved, or was a mis-understanding in the first place (e.g. “Pinning doesn’t work with 90 day certs!”)

And that’s ignoring the benefits to development and bug-fixing when the cert life cycle is shorter. I’m pleased to see the trend in this poll.



[quote]I read of ppl who said that they wont use LE because they dont wanna
have software that messes arund with the certs on their server.[/quote]

I don’t understand this at all for multiple reasons. Having your software or conf files reference an unchanging link is incredibly practical, I’d hardly call that “messing around with certs”. Secondly, no configurations are required to be changed - I had the client simply provide certs and then manually configured Apache and Postfix to use them.

Lastly, you’re not locked into a single client, there are multiple ones to choose from that do different things. You just need to choose the one that’s right for you. (That’s part of what I was talking about in my above post, when I said most complaints were based on misunderstandings.)

There are a small number of users that can’t use Let’s Encrypt, and StartSSL or other services may be better suited, but those cases have nothing to do with 90 day certs. You’re effectively shifting goalposts now you realise you’re in the minority.


Let’s not make this thread a “war” of posts. I am also in this “minority”, but I don’t complain about it. @My1 Let’s see the results of the poll after 5 weeks or so, or at least when a good number of responses will be recorded.


Sorry, I’m not trying to make it a war of posts. I just find it frustrating when someone can’t accept their questions actually have answers, and their complaints are actually unfounded, and their goalposts are actually quite mobile. A bit like talking to a creationist :wink:

I’m sure there are legitimate points to be made why 90 days is too short, I just haven’t heard any of them. LE is still beta, it’s still developing. I mean, the client is still version 0.4! Claims that it doesn’t cure cancer are bit premature.

I haven’t even hit my first 90 day renewal time yet, I’m finding it bizarre to be told the sky is falling because 90 day certs are “messing my server”.


nah but sometimes people want that nothing on the server changes automatically except for the user-generated content on a page.
some are worried about a script phoning home every 60 days just for a cert.


If that’s the case, they should just use a different CA. Don’t pretend LE to be a good fit, if it’s not.

Frankly, given how confused and poor is the support for certificate revokation, I’d be more than happy if at some point (when the automation will be fully operational) LE will reduce the expiration of a cert even further to (e.g.) 15 days.


well I have nothing of giving short certs as an option but in my opinion there should be at least an option for longer certs.

also when they started they pretty much seemed like heaven on earth but what we got, well…


That helps only if you use a new key every time.


I feel like a poll (which is inherently based on popularity) is a poor metric for something that is likely to not cause problems for the majority of current Let’s Encrypt users. After all, if LE didn’t fit into their setup, they probably wouldn’t be here to begin with. Bit of an echo chamber effect.

Why not just focus on the technical arguments alone?


I think it’s the other way round. If you’re not a creationist, you must be ready to challenge your facts all the time instead of saying “the book already answered it with a good reason given”.

I am not caring, 90 days and automation is okay.


I’ll agree with this to the extent that the automatic webserver configuration doesn’t appear to (yet, remember the client is only at version 0.4, and the project as a whole is still in beta) work as smoothly as expected. That’s not really a factor for me with the way my server operates. But the rest of what they promised–namely, free, trusted, automated certificate issuance and renewal–works near-flawlessly for an awful lot of people.

LE never promised, or even mentioned, an easy/simple/convenient way to manually issue a cert. It has always been about running a command (i.e., software) on the server to be secured, and that command/software handling the cert issuance. If you were expecting manual issuance (which you apparently were, since that’s what you complain about), your expectations were not grounded in anything the LE project said or demonstrated.


well they were maybe not grounded on what LE said but rather how any other CA would most probably do it.


All the information they published (and there was a lot–videos, conference presentations, news releases, etc.) made the point that they were trying to be different from any other CA. It’s always been explicitly about automation. So why would you expect them to do things “how any other CA would most probably do it”?

You are apparently expecting LE to solve a problem that they don’t solve, aren’t trying to solve, and have never said they would solve. It seems unlikely you’ll be satisfied with the outcome of this situation.


Restoring the poll back to the top of the forum.