[mysterydip]

"no one is buying our expensive SSL certs. If we show businesses how unreliable a free service is, CTOs will make their admins buy from us."

or

"domain xyz's certificate is expiring. If we pay for a ddos, their site won't be able to renew and (customers wont go to the site due to expired cert/API people use wont work/we can take advantage of a compromised cert longer)"

Just some possible but implausible scenarios.

[foepys]

> domain xyz's certificate is expiring

That's why it's so important not to wait until the end of the 90 day expiration period but to renew it every other week or so.

[hmaxwell]

is that Let's Encrypt's default behavior?

[Symbiote]

The default is to renew when less than 30 days remain, and to check that every day or every week.

[nickjj]

And you get the extra benefit of being emailed[0] a few times beforehand if the certificate fails to renew as long you register your account with an email address.

[0]: https://letsencrypt.org/docs/expiration-emails/

[tutfbhuf]

Seems like a sane default to me.

[philihp]

Very much so. In my experience with nightly jobs in a corporate setting, the more often something happens, the more likely you are to catch an upstream dependency that breaks it.

The sooner you catch that breakage, the easier it is to get the resources (either from that team, or from your own team) to fix it. It’s a matter of “Oh we changed that API 2 months ago, everything is fine for us, all of our people have moved on to other tasks” versus “Oh our change broke you? We can revert it until we have a workaround”.

2 months, in most orgs, is enough time to figure something out before your entire business goes offline.

[hftplot]

It seems unworkable for the majority of smaller sites who are increasingly forced to use letsencrypt.

Unless you want that automatic update tool on your server, which I find a bit sketchy.

[aaronmdjones]

If by "automatic update tool" you're referring to Certbot (the EFF's reference ACME client implementation), you don't have to use it. There are several dozen ACME clients, including some that are entirely shell scripts (such as Dehydrated).

[yjftsjthsd-h]

> Unless you want that automatic update tool on your server, which I find a bit sketchy.

Where else would you put it? You could put an ACME client somewhere else but it still needs to connect to place the updated certs.

[abhinav22]

Why are they forced to use letsencrypt? Cloud flare gives me free SSL and I imagine AWS or GCE would also

[tehbeard]

> It seems unworkable for the majority of smaller sites who are increasingly forced to use letsencrypt.

It's one line in a crontab, hardly an enterprise level endevaour involving IBM consultants and a triple redundant K8S cluster.

> Unless you want that automatic update tool on your server, which I find a bit sketchy.

It's no sketchier than you using binaries from your distro's repo, or even the Linux kernel. I doubt you'd read either line by line to check for nefarious wrong doing.

[tialaramex]

Let's Encrypt is a Certificate Authority, so, it doesn't have any "default behaviour" in respect of renewals, from the CA's point of view "renewing" is just a new issuance that happens to be for an identical subject. Let's Encrypt's rate limiting policies do actually care about that ("Duplicate Certificate Limit" five per week for each subject) but it can't put in place any particular policy about when you must or will renew.

CAs which charge for issuance often have a policy which implies an earliest sensible renewal date, because they will "carry over" remaining time on the previous certificate. There is a practical limit to that, (for example today your "one year" certificate from such a CA can only have up to 398 days until it expires, so renewing two months early won't make sense) because of the Baseline Requirements and/or trust store policies.

But if you're doing client development for ACME, the protocol Let's Encrypt implements for issuance, then yes, they'd tell you that they advise you to begin trying to renew with 30 days left. The EFF's Certbot tool, which a long time ago was just named "letsencrypt" implements this policy as do many other stand alone ACME clients.

[tgragnato]

> CTOs will make their admins buy from us

Or, those admins can switch to zerossl.com until the DDoS ends (you basically just need to change the domain in certbot).

Yielding the DDoS.. wasted money.

[imhoguy]

Aren't OCSP servers affected too? That would cause issues for page visitors too.