[meltyness]

My server got renewal halted. I rolled my own wrapper for certbot. Idk it's just a blog, I'm not that attached. It hit some rock a few months ago, I just retried and manually installed it, and it seems to have perked back up and continued receiving certs. Probably would have been more frustrating if it were a huge fleet but, it wasn't even worth my time to check logs and figure out what precisely happened (cert distributed with a modified that didn't match the ASN.1 expiry? transient issuance failure? issues the same cert? ...who knows.)

[globie]

Were you running certbot multiple times per day?

Looking at the relevant limit, "Consecutive Authorization Failures per Hostname per Account"[0], it looks like there's no way to hit that specific limit if you only run once per day.

Ah, to think how many cronjobs are out there running certbot on * * * * *!

[0]: https://letsencrypt.org/docs/rate-limits/#consecutive-author...

[b112]

Isn't that where we are going eventually? Certs only lasting a day?

[globie]

That's a good point. I suspect as the renewal period is shortened, scripts will attempt renewal faster and faster.

I hope they don't go any shorter than a month. Let the user pick, any value up to a year should do.

[conradludgate]

Browsers are eventually going to deny any certificate after 47 days iirc

[ferngodfather]

They simultaneously want shorter certs but can't cope with the current load

[CrossVR]

Nowhere in the blog post does it say they can't cope with the load, which is why the rate limits are so high. This is only about reducing wasted resources by blocking requests which are never going to succeed.

[Arnavion]

They definitely can't cope with the load at midnight, or at least couldn't back in 2022, and the fact that they mention midnight specifically in this post makes me assume they still can't. I say this because I had cert issuance fail for multiple days because of DB timeouts on their end from that: https://community.letsencrypt.org/t/post-to-new-order-url-fa...

Incidentally the fact that it took them 4 days to respond to that issue is why I'll be wary of getting 6-day certs for them. The only reason it wasn't a problem there was that it was a 30d cert and had plenty of time remaining, so I was in no rush. (Also ideally they'd have a better support channel than an open forum where an idiot "Community Leader" who doesn't know what he's talking about wastes your time, as happened in that thread.)

[literalAardvark]

Why not just run your update outside rush hour though.

[UltraSane]

No, they will never get that short due to reliability issues. I could see getting down to maybe two weeks.

To make 24 hour valid certs practical you would need to generate them ahead of time and locally switch them out. This would be a lot more reliable if systems supported two certs with 50% overlapping validity periods at the same time.

[jaas]

Let’s Encrypt has already started issuing a limited number of 6-day certs and they will be generally available later this year.

(90 days will remain the default though)

[genewitch]

Timezones going to make that hilarious, probably go back to much longer certs. I like free so I put up with LE. The automated stuff only works on half my servers, the other half I either run without https or I manually install it. Except now I wait until the service stops working, spend 15 minutes debugging why, go to the domain in a browser and see the warning, and then go fix it. Why? LE decided sending 4 emails a year is too many. And let's be real, sending automated emails is expensive. I think AWS charges like $0.50 per email when you use their hosted email sender.

[SomeUserName432]

> I think AWS charges like $0.50 per email when you use their hosted email sender.

SES? Around $0.0001 per e-mail

[genewitch]

Yes, it was facetious, i am jabbing at Let's Encrypt for ceasing email operations.

[literalAardvark]

Assuming 47 day certs they would be saving 500k USD/year just from SES fees with that change.

For a free service, that's a whole lot of money.

[meltyness]

By my memory, a cron runs a script that checks my cert file's last modified daily. When it is a certain number of days since (flavored Bash statements) the file last modified I'll certbot and install whatever comes back.

It's very under-engineered, maybe a trifold pamphlet on light A11 printed with a laser jet running out of ink.

I've probably spent more time talking about how much it sucks than I have bothered considering a proper solution, at this point.

[stirfish]

>I've probably spent more time talking about how much it sucks than I have bothered considering a proper solution, at this point.

I respect this. Reading someone else write this makes me feel more comfortable thinking about the things in my life I could be doing more to improve, which makes me respect this even more.