| If it is very cumbersome to renew all certs every 90 days, it can't be a breeze to do it every 365 days either. It's a PITA but at least it is spread out over 365 days. I am all for automation and have tried over multiple decades to get old / large companies to automate all the things. The devil is in the implementation details however and this may be a cart before the horse situation. Missing foundational requirements are: - ACME endpoints at all or most of the cert providers - ACME test endpoints at all or most of the cert providers so people can test their shiny new automation ahead of time - Ability to register wildcards using those endpoints vs. DNS as is required today by the free cert providers Maybe the plus side is that this pushes all those companies onto the free providers but then there is the issue of rate limits. Most of these companies will show up to LE as 1-10 IP addresses via outbound SNAT's. LE will see this as a highly abusive user. The current API rate limits will need to be adjusted and the providers will need to ramp up their cert signing infrastructure. Has this been done? Without a clear path and the above issues addressed then I suspect what is actually going to happen is that big companies will keep using their existing certs and will just update their process around the certs that live on the internet facing load balancers so that the browser is happy meaning that perhaps 3% of their certs now follow a new process. |