Hacker News new | ask | show | jobs
by Analemma_ 37 days ago
Only if you’re reissuing right before expiration, which is a stupid thing to do. If you have a 47-day cert, best practice is to reissue on day 30, meaning LE would need to be down for more than two weeks before anything went wrong.

If this outage breaks your system, that’s entirely on you, not Let’s Encrypt.
4 comments
eqvinox 37 days ago
Short-lived = 6 days. Even if you reissue after 2 or 3 days, that's… not a lot of breathing room.
link
striking 37 days ago
You have to opt in, and they are honest about the tradeoffs when discussing them:

> Short-lived certificates are opt-in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime. We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well.

https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...

link
eqvinox 37 days ago
That's not really an answer, especially with:

> We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well.

They're expressly trying to show that this is a viable approach. It's actually kinda good that this outage, whatever it is, is happening now, as it's giving them a chance to demonstrate (or not) that they can deliver.

link
nottorp 37 days ago
> no plan to make them the default at this time

At this time! Boil the frog slowly...

link
Dylan16807 37 days ago
Is the frog the guy that still won't automate their certificates?
link
nottorp 37 days ago
Mine are automated. Somehow it reminds me of prayer wheels though...
link
Dylan16807 36 days ago
Forcing certificates to expire in less than a year means people don't forget how to update them, which is a big benefit.

And once people automate, short-lived certificates are a workable plan B for how to revoke certificates and have the revocation actually work.

These are both reasonable goals.

link
bakies 37 days ago
3-4 days is a ton of breathing room
link
rconti 37 days ago
You're holding your 6-day cert wrong
link
bakies 37 days ago
Chill, it's 2 hours. They recommend renewing at the first third of the 160 hrs.
link
cachius 37 days ago
Thought that was the iPhone 6
link
jameshart 37 days ago
Useful context: https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...
link
gbear605 37 days ago
Only as long as LE isn’t down for 17 days, then we’re in big trouble.
link