[ray_v]

This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?

[Arnavion]

I agree. Anecdotally, the last time LE had an outage that prevented my cert from renewing, it took about ~4.5 days from when I reported the issue to them to when they started looking and provided a workaround. Since this was a 90-day cert it still had 30 days left on it, so I wasn't worried. If it had been a 6-day cert and only had 2 days left on it, I would've had to go to red alert and switch to another CA ASAP.

https://community.letsencrypt.org/t/post-to-new-order-url-fa...

If they do start providing 6-day certs I hope their turnaround on issue reports is faster than that (and ideally have something better for reporting issues than a community forum where you have to suffer clueless morons spamming your thread).

[mholt]

Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

[deathanatos]

> That, and extended week-long outages are extremely unlikely.

You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

[mholt]

True, but it doesn't matter since competent clients should be falling back to other CAs anyway.

[bmicraft]

Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.

[mkj]

I suspect ZeroSSL might have capacity problems if the entire userbase of letencrypt moved to them in a few days. Letsencrypt are talking about 100 million certs/day in future?

[cyberax]

Plenty of clients don't have that option. E.g.: Synology NAS, Mikrotik routers.

[arianvanp]

A 7 day outage seems rather unlikely no?

[pilif]

In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.

[zzyzxd]

I am not saying 6 days is long enough, but if your automation always wait until the last minute to renew certs, you may have more issues to worry about than the CA's availability. If I am going to use a cert with 6 days lifetime I will be renewing it at least once a day.

[ncruces]

Yeah, that conflicts with their rate limits, which I hope they'll revise under this scheme.

https://letsencrypt.org/docs/rate-limits/

For the “exact same set of hostnames” (aka. renewals) the rate limit is 5 certificates every 7 days.

So you could do it every other day, if you can make sure there's only one client doing it.

And they're very clear this is a global limit: creating multiple accounts doesn't subvert it.

So you'll need to manage this centrally, if you have multiple hosts sharing a hostname.

[Cerium]

If you have multiple hosts the set should not be the same, no? From the linked page the comparison is a set comparison: one host at hosta.example.com and one host at hostb.example.com each with their own cert bot won't conflict.

[ncruces]

You never host the same website on two servers?