RE: upcoming-changes-to-let-s-encrypt-certificates

Hi [mcpherrinm]

The email above mentions - "If you’re requesting certificates from our tlsserver or shortlived profiles, you’ll begin to see certificates which come from the Generation Y hierarchy this week. This switch will also mark the opt-in general availability of short-lived certificates from Let’s Encrypt, including support for IP Addresses on certificates."

We are planning to switch to "tlsserver" profile temporarily to evaluate if there is any impact with the new changes to end TLS client authentication.

Can you help confirm if we switch to "tlsserver" profile now, would that change the certificate lifetime to 45 days beginning this week?

In another blog post it looks like the certificate lifetime is planned to be updated in May 2026 for "tlsserver" profile? - "May 13, 2026: Let’s Encrypt will switch our tlsserver ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing."

Two changes are happening this week:

  1. Issuance is switching to Generation Y for both the tlsserver and shortlived profiles.
  2. The shortlived profile is becoming generally-available.

The timeline for shortening lifetimes is in the blog post, and are not happening this week.

5 Likes

@mcpherrinm When you say "this week" what date&time is planned for the changes exactly? (the business week is almost over…)

There is still wednesday, thursday and friday, 60% of usual business days per week.

If you had posted on thursday, i would agree

2 Likes

Let's Encrypt typically deploys to production on Thursdays, although other days aren't uncommon either. They generally do not publish exact times as that depends, but looking at historic data from my release monitor it's usually scattered around 1800Z. More invasive changes like this may be deployed outside the usual software upgrades, though, and could have a totally different timing.

5 Likes

In which dimension is that the case?

3 Likes

3 posts were split to a new topic: Traefik renewal for shortlived cert did not work

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.