Pros and cons of 90-day certificate lifetimes

Wrong tool for the job. Cert lifetime policy should not be influenced by trying to solve non cert issues.

2 Likes

I don’t mean it should be intended as a tool, but it sure as hell isn’t an argument for longer lifetimes as far as I’m concerned. A clock with an offset of such dimensions is something you should not be having, period. Not something a CA should have to worry about IMHO. Give me one good argument why they should? They can’t account for every PEBKAC now can they?

1 Like

idiots arent the reason why the cert lifetimes are like a year.
the point is that you dont have to hope like 6 times a year that your automation successfully renews the cert.
I rather have it one or 2 times a year where I do it myself rather than automating it which has a lot of issues, what happens if the CA server fails for whatever reason?
I would know it when I do stuff myself and can or example get a cert from another CA in worst case or retry tomorrow in a better case.

1 Like

LE advices a 30 days "grace period", so a hickup shouldn't be a problem.

A good automated implementation wouldn't have such a SPOF anyway. It should not fail on a simple single failure at one point in time, but queue the certificate for renewal at a later time, perhaps with increments, like with mail delivery with SMTP.
Ofcourse, currently, the official Let's Encrypt client is beta and, as far as I'm concerned, isn't qualified for proper renewal yet. Better: you shouldn't rely upon one service/daemon/cronjob to do the trick, but have at least a second program automatically check the automated process of renewal (which should also check itself).

1 Like

why make it so complicated when you can just do youself?
when you have to reinstall the system for whatever reason then you have to setup and configurate all the daemons again, it’s quicker to sitdown once a year for 5 minutes and get the cert than always having to bother about the automation.

2 Likes

As far as I know its one of the goals of LE, not a means to another end.
And configs can be backupped you know :stuck_out_tongue: No way I’m reinstalling servers from scratch… Then again, I’m not an IT professional :smile:

1 Like

well it’s not just the config but you also have to install all the software etc. and imo the MAIN goal is spreading HTTPS and even if the cert time is a year it doesnt hurt the automation, especially since automation is just secondary and overly enforcing it as some people already said then it will get in the way of the main goal.

2 Likes

I don't think it's overstating things to say that if you don't want to use some sort of client-based automated solution to obtain and renew your certificates, Letsencrypt just isn't designed for you. After all, automation is their second "key principle" out of six listed on https://letsencrypt.org/about/:

If you prefer to manually obtain and install your certificates, nothing stops you from doing that, but your goals aren't really consistent with what Letsencrypt states as their goals, and thus you'll likely be happier with a different CA.

2 Likes

as I said even 1 year certs dont stop automation.

I rather have the problem that there is no client yet for my config and always using my raspi in manual mode and verification using those files is a major PITA. if the manual verification would have just the account key and not some random value than I can use the same file for all my domains and subdomains and get it over with but when the automation sucks (which is in fact yet a fact) then hell no.

automation is nice but get it working first.

also manually getting a cert is usually a bit easier especially if you have a nice GUI client (like xca) which helps you with the CSR.

you then just login, upload the csr verify your domain if you havent done it before (subdomains dont need extra verifying) and finish.

3 Likes

Nothing stops you from adding some code to GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol. :wink: Then again, it's beta and all for now..

My god! You're actually proposing a GUI? And here I thought the ncurses UI from the official client was overkill :stuck_out_tongue: But I don't think the manual plugin is going to be a "goal" for the LE team..

1 Like

I am not saying a GUI for the client.

I just use a GUI to make CSRs and xca is a complete cert/key management software, so not just a gui.

because making SAN CSRs is quite annoying in the cli.

yeah manual might not be the goal but with windows + xampp I have no other choice. all win clients are for ISS or whatever it was called.

1 Like

The SAN is easy… My difficulty always was getting the SAN’s from the CSR into the issued certificate if I tried to sign a certificate with a self signed “root” certificate of my own… :slightly_smiling: But we’re getting quite offtopic now :stuck_out_tongue:

I agree that automation isn’t working with the official Let’s Encrypt client at the moment without getting everything into a cronjob or something and building all kinds of scripts for checking on your own. So that’s not working at all IMHO.

1 Like

even if it’s easy it’s annoying to type and you cant really ctrl+x/c/v in a cli which makes it even MORE annoying

and that’s the point when you try to enforce automation, make it work first.

I think it’s more important to make the whole internet encrypted than to automate it which should be treated aside from that.

and as I said more than often enough, an (optional, maybe even non-default) one year cert doesnt stop you from automating it.

2 Likes

You're glossing over the details of the automation "ke principle" though. "can interact with Let's Encrypt to painlessly obtain a certificate". Sure it can, in some limited cases. Furthermore, in the end, most automation turns out to be far from "painless". It breaks and has to be fixed, monitored, taken into account with upgrades, etc. The list is long.

2 Likes

Nonetheless, their goal is that issuance and renewal be automated. If that isn’t working properly, that’s a valid criticism of the client software (though there are lots of clients to choose from if the official one doesn’t suit you). But complaining that their issuance policy makes it harder to deal with manual issuance/installation just seems kind of pointless–they aren’t interested, as far as I can see, in dealing with a manual process. They won’t stop you (they do have a manual mode in the official client, after all), but they won’t go out of their way to make it easy for you either.

At least, that’s my observation/interpretation.

2 Likes

None of which is mutually exclusive of permitting longer cert lifetimes. The automation does not care about how long the cert lifetime is. It will work just as well/poorly with 90 day as 365 day and will aid some of their other goals like wide spread https.

As far as complaining. It is the appropriate thing to do when a vendor does not meet ones needs. The vender will then either accommodate or not. But it is appropriate to complain, debate, discuss, etc. Many do not like the policy and want them to change it.

2 Likes

No, of course automation doesn’t prevent longer lifetimes–you could run automated renewal every year, or two years, just as well as every week. That isn’t the point. The point is that a complaint being raised is that the lifetime makes it inconvenient to get certs manually. The project seems to be saying, in effect, that they don’t care about any inconvenience in getting the certs manually, as that wasn’t their goal to begin with.

@My1 seems to believe the project should place more emphasis on supporting manual issuance. Well and good–there’s no doubt a reasonable argument to be made on that front, but it’s an orthogonal issue. And it seems it’s one which would need to be established before the project is going to pay much attention to concerns about difficulty with manual issuance.

1 Like

well if LE wouldnt make it actually HARDER to manually issue certs it would be nice, with startSSL it is pretty easy especially since you dont have to verify each and every subdomain.

1 Like

To me, the issue is more about this: if Let’s Encrypt’s ultimate audience is EVERYONE (since its stated goal is to encrypt the web) then the issue isn’t about the number of days to renew but rather about having such a dead stupid simple underlying system that anyone’s mom could easily encrypt their blog and never have to do anything or think about it again.

It’s unimaginable to me that the everyday person, who likely has at most a vague interest in computers and more likely has a “tech support” friend or family member doing tech stuff for them, will ever do more than run Let’s Encrypt’s setup once and expect it to work forever without ever knowing anything about how often it’s updating.

Move that up a level, to someone who’s a bit more tech-minded and maybe setup a VPN on their router or runs Owncloud instead of Dropbox or has a media server (Plex, Emby, etc.); would this person run through the hassle of rebooting their router every 3 months (for the VPN certificate update) or be willing to risk running into server access problems when they just want to watch a TV show they recorded? I doubt it. Or, rather, the second they ran into problem would be the second that Let’s Encrypt was uninstalled and either a self-signed certificate was put up or no certificate at all.

So to me the question isn’t about 90 days or a year or a lifetime but rather about who Let’s Encrypt’s target audience is, what part of the web it wants to encrypt, and what sort of user it imagines doing that encryption, i.e. is it for mom? for casual hobbyist techie brother? Or only for people comfortably in the IT world?

I think the answer to that question will ultimately dictate the answer to the question of how often the certificates need to be updated and in what manner.

1 Like

Their target audience is “system administrators” not “EVERYONE”. Just because someone is writing a blog does not mean they are doing the system administration.

So no it does not need to be “such a dead stupid simple underlying system that anyone’s mom could easily encrypt their blog and never have to do anything or think about it again.”

2 Likes