Pros and cons of 90-day certificate lifetimes


Then you’ve created a different problem. You’ve still avoided the problem @jakepogo mentions (which isn’t true anyway). But the points you raise really go to the question of whether HPKP is really a good idea, not to the relative pros/cons of 90-day certificate lifetimes.


well yeah true, and I think HPKP is a bad idea because there’s no way back.


Ah Yes it seems I must have skipped over the --csr flag at renewal while I was looking at this. Thank you guys you’re a lifesaver!


I personnaly use EE TLSA, storing the sha512 of the cert in a TLSA record and I have an auto renewal scrip that :
1 renew the certificae
2 publish it in the DNS zone and delete the hash of expired certificates
3 wait for a TTL of the dns zone
4 make the cert available for softwares
5 restart/reload softwares using the certificate

It work perfectly fine for more than a year now.

Automation is, has repeated over and over in this thread the key.


well be careful which EE you use, PXIX-EE still requires CA test, and DANE-EE doesnt.

split this topic #453

3 posts were split to a new topic: Java keystore automated renewal challenges


Sorry about the lack of a response for so long. I stopped playing around with certbot and LE for a while because I had other priorities.

I misspoke, and misspoke badly. I have thought about it, and the problem I have is not necessarily the lack of support for automation, but rather, whether or not tools already exist to automate the process for a given server.

And I realized that I have a (possibly unique) situation, and I’m going to have to create my own tools to automate everything. I have a VPS dedicated to running certbot. I have several other VPSes running web servers. Mostly Apache on Ubuntu, but there is at least one running Jetty on Ubuntu – it’s a Java-powered servlet container, so one of the tasks I need to automate is importing the cert into a keystore that the server will read… and then, there’s the one Windows VPS I run, which runs IIS. I want to do all of the certificate management on the certbot VPS and have the web servers rsync the certs over SSH and install them, and restart the web server.

Also, I want to use DNS challenges to validate my certificates. That will require me to create a tool that is able to interface with the DNS Made Easy API, since there are (as far as I can tell) no such tools in existence yet. Most of my scripts will only be useful to me, but once I get the DNS Made Easy scripts written and tested, I plan to stick them on Github so other people can use them.


Also, I’m using certbot now, but I am not sure whether I’m going to continue using it.


@stevesobol I’m slightly biased (having written GetSSL ) but it was designed to do virtually exactly what you want (run on one server, and copy the certs to other servers). Also have a look at some of the other alternative clients


Will definitely check it out…


I was wondering just that - you might be better off with @Neilpang’s or @serverco’s GetSSL.

I’m using Certbot, but my setup is far simpler than yours. Also, Certbot is dependency-heavy, and prone to breakage when a dependency is either not upgraded enough, or upgraded too far. That’s broken my config a few times.

Also, Certbot requires root, whereas other clients can run as an unprivileged user without issues. You might find you don’t need to have the Let’s Encrypt client run in it’s own VPS in the first place.

Good luck! I’m really happy to hear your willingness to share any scripts you write :slight_smile:


From the looks of it DNS Made Easy is large enough that many people might benefit from your scripts. They might also interface well with GetSSL from @serverco, which has a in-built hook for external scripts to add/delete DNS records.


@gypsypriest DNS Made Easy is a pretty big enterprise-quality provider with a stable API, and yes… that’s EXACTLY why I’m planning on open-sourcing my work. I figure others can benefit from it.

@DarkSteve It’s a $5 DigitalOcean VPS and I like being able to spin up inexpensive servers so I don’t have to have a small number of servers, each performing a whole bunch of different functions. :slight_smile:

Everyone seems to be endorsing GetSSL. Seems to me that that’s the way to go, and it may already work with DNSME.


Kudos! That’s what makes OpenSources so good, everyone helping everyone. That and instead of reinventing the wheel we can make better gears to turn the common wheel, or better trails for the wheel to follow. :slight_smile:


Been around about as long as you have, and if updates create disaster, what happens without updates. I’m very happy to use DVDs and SSDs instead of paper tape and Hollerith codes, though I was happy to see the cards I could mark rather than key punch. I’m going to guess that your are not still using a PDP-11, or some such, and that your system gets updates once in a while. How often do you run updates? Yearly? Quarterly? Daily? Does your system have an hourly cron that checks for updates? Would you argue that system updates should only be done every 12 months because something might break? :slight_smile: I’m for 90 days, and happy when, if, it goes less. Nothing is “set it and forget it,” but automation sure is nice as far as it goes.

split this topic #463

A post was split to a new topic: Renewing with slow DNS

split this topic #464

A post was merged into an existing topic: Domain services in addition to certificate services

split this topic #465

A post was merged into an existing topic: Domain services in addition to certificate services

split this topic #466

A post was split to a new topic: Shorter certificate lifetimes

closed #469