Hacker News new | ask | show | jobs
by jaas 3 days ago
> That explains why one of my IoT vendors is using an expired certificate.

I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago.
2 comments
mannyv 3 days ago
"nobody should be renewing their certificate within 90 minutes of expiration"

You obviously haven't worked with hardware guys.

"I mean, what's the point of those last 30 days if you need to renew it 30 days before expiration? Why not just renew it before it expires? If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?"

link
ozim 3 days ago
If they make 7 days grace period then expiration date will be a lie and of course every one will use grace period like it would be normal thing ;)
link
NewJazz 3 days ago
Roulette grace period, keep them on their toes.
link
selcuka 3 days ago
> If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?

Many countries won't let you enter if your passport expires less than 6 months after your planned departure date. Basically the effective validity of a passport is 0.5 years less than the period you pay for.

link
LtWorf 3 days ago
> weeks ago

How long do you think a certificate lives?

link
jaas 3 days ago
Mostly 90 days, and we recommend renewing at 60 days for 90 day certs. That gives more than four weeks of leeway.

If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days, giving you 3 days for a successful renewal. A 90 minute outage, even if it was a full outage, would not interfere with a successful renewal.

link
selcuka 3 days ago
> If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days

Apparently certificates are becoming OCSP-only with a TTL.

link
nottorp 3 days ago
How's the push for 48 hour certificates going?
link
bebop 3 days ago
90 days moving to 45 but you can and should renew earlier than that. Automating this process means that you should be request a new certificates roughly 60 days (or 30 soon) after the issuance of the previous certificate. That way you would have plenty of time to deal with renewal issues. The process for renewal should have back off and retries built in. This prevents a situation where a down time for the issuer means that your production environments are non-functional.
link
Biganon 3 days ago
They work at letsencrypt, I'm pretty sure they know.
link