[SUGgestion] 93-day certificate lifetime


#1

Well, 90-day certificate lifetime is actually good. But what would be the difference between 90-day and 93-day?

With 93 days, a certificate issued 1st of month M will be guaranteed to not expire before 1st of month M+3. Renewal automation could just be simplified as a bash script that will run every 1st of month M, M+3, M+6, M+9

Monitoring of certificate expiration would be deadly simple.


#2

Personally I wouldn’t want to leave it until only a couple of days before expiry before renewing. My renewal script runs every day ( as you can with “certbot renew” or most other clients ). By default they will try and renew when there are less than 30 days left on any certificate. I haven’t actually ad a renewal fail yet ( in over 10 months ), but I’d like it to warn me, and keep trying for the next 30 days rather than just try once, fail, and leave me with a problem.


#3

This is generally something you want to avoid. If everyone were to renew on the first of each month, Let’s Encrypt would need to handle the majority of their monthly load on a single day (and get effectively DDoS’d at midnight) rather than spreading it throughout the month. Renewing 60 days after the last issuance (as done by certbot) avoids those peaks. Bonus points for adding a random delay to the cronjob so that not everyone attempts to renew at midnight UTC. :smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.