"This change is being made along with the rest of the industry, as required by the CA/Brow...

jakeogh • today at 6:30 AM • 3 replies • view on HN

"This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow."

I dont follow. Why? Why not an hour? A ssl failure is a very effective way to shut down a site.

"you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide."

Oh that sounds wonderful. So every small site that took the LE bait needs expensive help to stay online.

Do they track and publish the sites they take down?

Replies

Semaphor • today at 7:00 AM

LE bait. Wow.

To your actual content, unless you did something weird and special snowflake like, everything will just keep working with this.

charcircuit • today at 7:00 AM

They've been slowly moving the time lower and lower. It will go lower than 45 days in the future, but the reason why we don't go immediately to 1 hour is that it would be too much of a shock.

>So every small site that took the LE bait needs expensive help to stay online.

It's all automated. They don't need help to stay online.

➕ show 2 replies

imtringued • today at 9:40 AM

>Oh that sounds wonderful. So every small site that took the LE bait needs expensive help to stay online.

I agree with the terminology "bait", because the defaults advocated by letsencrypt are horrible. Look at this guide [0].

They strongly push you towards the HTTP-01 challenge which is the one that requires the most amount of infrastructure (http webserver + certbot) and is the hardest to setup. The best challenge type in that list is TLS-ALPN-01 which they dissuade you from! "This challenge is not suitable for most people."

And yet when you look at the ACME Client for JVM frameworks like Micronaut [1], the default is TLS and its the simplest to set up (no DNS access or external webserver). Crazy.

[0] https://letsencrypt.org/docs/challenge-types/

[1] https://micronaut-projects.github.io/micronaut-acme/5.5.0/gu...

➕ show 1 reply

alt Hacker News

Replies