From a beginner with Let’s Encrypt:
I have been playing with computers since '72, and it’s still my main activity, and hobby.
I have only 2 domains and a mere 13 sub-domains, one at 4th level. (Nothing compared to a major business.)
I use one domain for small business eCommerce activities.
I use shared hosting on Linux/Apache server with cPanel access.
My host has not enabled LE functionality in cPanel, and likely never will. (It would cut into their own cert sales revenue.)
I also host the majority of the sub-domains on my home computer, also Linux/Apache.
I came into this knowing nothing about certs or openssl, etc.
I have 3 certs from LE covering about half the sub-domains, as well as both domains themselves.
I have not tried to use any clients to automate the cert process, and have not scripted any part of the process.
I used zerossl.com for the original certs, and for the renewal - with HTTP verification in all cases.
I have reorganized, renamed, and scrambled my local server’s config multiple times.
I have read this thread from top to bottom.
The time spent, so far, in getting and configuring my certs, plus what renewals and experiments will likely take for the next two years, is less than the time I spent reading this single thread.
I can boil down everything “important” said, on topic, in this thread to one phase: "I’m too lazy to read."
IMHO 90 days is plenty of time for a cert’s lifetime.
I’m sure there are plenty of “edge” cases that could be found - maybe even my own - where 5-6 manual renewals per year is a PITA, but “manual” isn’t what LE is about.
I will automate, if I ever figure out what I’m doing, but manual wasn’t a PITA for me, a rank tyro, so how could it be any harder for those who claim to know what they are doing?
As many “members” have said herein, I have read nothing to justify the need for a longer lifetime, optional or not, manual or not.
Final though: keep it at 90-day lifetime, for now, and possibly reduce to 30 if the automation and LE’s OCSP signing capacity permit it.
5 Likes