Just want share my experience. Can’t hold it in myself
I’m very new to SSL, so I’ve started from sslforfree.com that is based on letsencrypt.org
I just wanted to setup https for my website.
So, after several clicks it turned out to be that my hosting provider does not support creating folders with dots via FTP.
For example: “.well-known” gets an write error; but “well-known” (without first dot) is OK. No way.
So I can’t pass automatic nor manual domain verification at sslforfree.com
OK, lets try the last method - via DNS verification.
I’ve managed to set required TXT fields. But the TTL is 4 hours by default and cannot be changed surprisingly.
O-O-OK… lets wait. After 4 hours of waiting (www = “wait, wait & wait”?..) I’ve got my SSL certificate finally!
But wait again… the last screen says: “SSL Certificates expire after 90 days”.
So, is there some way do not wait again 4 hours every 3 months?..
Please increase certificate lifetimes!
Security considerations are well known, as I see in this thread. SSL certificates for 1, 2, etc years are commonly used for ages (in the world) and must-have for letsencrypt.org, I hope
Hi @fastboy! Thanks for sharing your story. That does indeed sound like a very frustrating experience.
But the TTL is 4 hours by default and cannot be changed surprisingly.
If the TTL is 4 hours, that won't actually be a problem, because Let's Encrypt's DNS resolver sets a max TTL of 5 minutes. So it won't be using a cached version of the TXT record. But maybe your DNS provider only pushes out new records every 4 hours (which is a subtly different issue).
I have a couple of recommendations there: First, you can probably switch DNS providers independently of your web host, to one which pushes changes more rapidly. For instance, Amazon Route53 costs $6/year, and pushes updates within a minute or two. There's also a nice Certbot plugin that integrates with it: GitHub - lifeonmarspt/certbot-route53: Let's Encrypt authenticator for route53.
Second, you will probably find this easier if you automate it somewhat. Instead of using sslforfree.com, which is a very manual process, download Certbot and use it to issue a certificate with the DNS challenge. Then you can upload the resulting certificate to your hosting provider. You can even set up a cron job on your local machine to run Certbot every 60 days, so all you have to do is the upload.
Lastly, the very best experience will result from your hosting provider implementing built-in ACME support. Have you asked them about that?
