remix logo

Hacker Remix

Six day and IP address certificate options in 2025

188 points by SGran 2 days ago | 147 comments

rickette 2 days ago

Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

ryandrake 2 days ago

To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up. I run a tiny VPS that hosts basic household stuff like e-mail and a few tiny web sites for people, and letsencrypt/certbot automation around certificate renewal is the only thing that I seem to need to regularly babysit and log in to manually run/fix. Everything else just hums along, but I know it's been 90 days because I suddenly can't connect to my E-mail or one of the web virtual hosts went down again. And sure enough, I just need to run certbot renew manually or restart lighttpd or whatever.

outworlder 2 days ago

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient

I's only inconvenient because it isn't properly automated. That's by design.

When this can be a acme.sh script cronjob, there isn't much of an excuse. Even my Raspberry Pi dedicated to my 3D printer is happily renewing certificates.

At least with this thing breaking every 90 days you have it fresh on your mind. One year away you may not even remember what you have to do.

Needless to say, you have a bug to fix.

theoreticalmal 1 day ago

What does your 3D printer Pi serve such that it needs a cert? Do you have ports 80 and 443 open and forwarded to it?

sanswork 16 hours ago

I run certs on all my internal services so I don't have to deal with this isn't secure errors in the browser when working on things.

jeroenhd 2 days ago

Let's Encrypt doesn't work great when the Let's Encrypt client software has a bug or is misconfigured (one of those is true for your situation).

I think keeping the validity long just removes incentives for people to bother fixing their setups. We've seen the shift from "Craig needs to spend a few days on certificate renewal every year" to full automation in most environments when the 90 day validity period was introduced, and shortening it to a week will only help further automation.

You'll always have the option to skip the hassle (for a small fee, unless a Let's Encrypt competitor joins the market), but I feel the benefits outweigh the downsides.

I personally would've preferred something like DANE working, but because the best we've got is DNSSEC and most of the internet doesn't even bother implementing that, I doubt we'll ever see that replace the current CA system.

raxxor 23 hours ago

I cannot say that this works as flawless as some would advertise, with just as script running every 90 days. Some services do not load certificates while running and must be restarted. That alone can be a hassle.

Some software now uses short lived certificates and even with decent configurations, there is an elevated level of problems specifically because of certificates. Especially in networks that use a lot of segmentation with very restricted network traffic.

I think a short lifetime can be a security benefit, but it should not become a dogma. It should be employed where it really makes sense but as a general rule inconvenient describes it quite well.

patrakov 19 hours ago

It is not just a script running every 90 days. It's also monitoring that the script didn't break, cron didn't break (you know, cron sometimes breaks after the PAM package update), your account didn't get banned, and that your domain name is not affected by a mass revocation.

atomicnumber3 15 hours ago

Are you... not monitoring those things otherwise?

jeroenhd 20 hours ago

> with just as script running every 90 days

FWIW you should run most ACME clients more often than that, just in case there's a performance issue or bug at Let's Encrypt's side. The tooling won't replace your certificates unless they're almost expiring anyway. Certbot's instructions will have you set up a cron job that runs twice a day.

> Some services do not load certificates while running and must be restarted

This is exactly the kind of software that needs fixing. Luckily for the critical, nine nines uptime cases where 5 seconds of downtime for the web server restarting is unacceptable, there are services that will sell you certificates valid for a full year or even longer.

I doubt year long certificates are going away soon. We're already years off Let's Encrypt ending their 90 days offering, for sure. The convenience factor isn't going away, at some point it'll just cost a bit more.

arielcostas 1 day ago

There are other "open" CAs that can be used for free. For example, Google Public CA, Buypass and ZeroSSL, which all support the ACME protocol though you need an account there to get EAB credentials, that then are configured in Certbot or whatever you use.

hulitu 17 hours ago

> I think keeping the validity long just removes incentives for people to bother fixing their setups.

The best certificates should expire after 20ms. /s

tasuki 2 days ago

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.

I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.

I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?

5d41402abc4b 1 day ago

If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.

erincandescent 21 hours ago

Put the ACME challenges in their own DNS zones. Grant the key permission to only that zone. Risk mitigated.

crtasm 20 hours ago

Is this possible on Porkbun?

ryandrake 21 hours ago

Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.

MaKey 2 days ago

> [...] despite having automation set up.

Clearly it's not working correctly, so a longer certificate lifetime wouldn't address the root cause - you would just have to fix your setup less often.

duskwuff 2 days ago

When Let's Encrypt got started in 2014, CAs could issue certificates valid for up to five years - and many did. The CA/Browser Forum has slowly been ratcheting that down.

tialaramex 2 days ago

That (five year certs) was technically true, but the CA/B BRs already told you that was going away in 2015 when Let's Encrypt was started. I don't know how many were still actually selling such a product by the point Let's Encrypt is on the scene.

I think the drop-dead date for this product was like April 2015 or so. The ideal customer for a product like this (lazy and also incompetent but with plenty of money) is also likely to leave it too late. I won't guarantee we'd have caught that, but unlike forbidden steps taken to avert a bigger mess of ones own making (as happened for SHA-1 deprecation, some notable financial outfits secured certs which should not have existed, to cover for the fact they hadn't properly managed their own technical risks) this seems like a product category thing, nobody was openly selling certs that would just break in Chrome, that's a bad product.

[Why would such certificates break in Chrome? Google hate these long lived certs so Chrome treats certificates which have validity exceeding what the BRs authorise as immediately invalid, if you want to moan to Google about why your prohibited certs don't work you're basically admitting you violated your agreement with them so it's like showing up to claim your stolen rucksack full of cocaine from the cops...]

KronisLV 1 day ago

> Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

Surely there are tradeoffs in having to rotate the certs that often, right? Notably, considerable load on their infrastructure. I get that urging people to automate their renewals makes sense (though I've also heard people unironically saying: "I want it to be a manual process, so I know how it works instead of relying on some black box"), but it seems that shorter and shorter cert lifetimes might put more strain on a service that nigh everyone seems to just be using for free.

Edit: at least there are a lot of prominent companies here https://letsencrypt.org/sponsors/

raihansaputra 1 day ago

I just looked into OCSP and their planned sunsetting of their OCSP server, and it seems like they'd much rather scale this as their core activity than provide/maintain/scale other stuff like the OCSP service.

apitman 2 days ago

IP certs improve a niche but interesting use case for me. I run a domain registrar that implements a simple OAuth2 protocol[0] for delegating domains/subdomains. I also have an open source tunneling tool called boringproxy that implements the client side of this protocol[1].

boringproxy needs to provide a callback redirect_uri to the oauth server in order to retrieve it's token, which it can then use for setting DNS records. However, it can't provide an HTTPS endpoint until it can set up those DNS records and get a cert. Chicken/egg. Currently the spec requires the server to implement a `GET /temp-domain` endpoint which creates a DNS record like 157-245-231-242.example.com which points at the client's IP. This lets boringproxy bootstrap a secure OAuth2 callback endpoint.

IP certs would remove an entire step from this process.

[0]: https://github.com/takingnames/namedrop-protocol-spec

[1]: This is actually broken in boringproxy at the moment, but there's a demo video here: https://www.youtube.com/watch?v=9hf72-fYTts

captn3m0 2 days ago

I remember being surprised when Cloudflare launched https://1.1.1.1 with a valid cert and I immediately wanted one, but couldn’t find an easy way to get one.

I am gonna try to run a DoH resolver on this and see how it goes.

prdonahue 2 days ago

This was a fun conversation.

I remember calling Clint and Jeremy at DigiCert and asking: "hey we have this cool IP address—what are the odds you guys can issue a certificate for it?"

I'm not sure if they had to dust off some code or process to do it, but they got it done really quickly once the demonstration of control was handled.

DonHopkins 2 days ago

The coolest easiest to remember ip address I ever used was mimsy.cs.umd.edu: 128.8.128.8

yegle 2 days ago

For others who don't know how certificate for IP addresses relates to a DNS-over-HTTPS server: https://blog.cloudflare.com/announcing-ddr-support/

snailmailman 1 day ago

I’m really glad they have a page on that IP. I use it decently often for “is the problem DNS?” troubleshooting.

Because if zero pages load, but that one does, the issue is DNS.

Ping is easy too of course, but I can ask people to type four ones with periods between into their search bar over the phone. No command line required.

ray_v 2 days ago

This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?

Arnavion 1 day ago

I agree. Anecdotally, the last time LE had an outage that prevented my cert from renewing, it took about ~4.5 days from when I reported the issue to them to when they started looking and provided a workaround. Since this was a 90-day cert it still had 30 days left on it, so I wasn't worried. If it had been a 6-day cert and only had 2 days left on it, I would've had to go to red alert and switch to another CA ASAP.

https://community.letsencrypt.org/t/post-to-new-order-url-fa...

If they do start providing 6-day certs I hope their turnaround on issue reports is faster than that (and ideally have something better for reporting issues than a community forum where you have to suffer clueless morons spamming your thread).

mholt 2 days ago

Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

deathanatos 2 days ago

> That, and extended week-long outages are extremely unlikely.

You only need the outage to last for the window of [begin renewal attempts, expiration], not the entire 6d lifetime.

For example, with the 90d certs, I think cert-manager defaults to renewal at 30d out. Let's assume the same grace, of ~33% of the total life, for the 6d certs: that means renew at 2d out. So if an outage persisted for 2d, those certs would be at risk of expiring.

mholt 2 days ago

True, but it doesn't matter since competent clients should be falling back to other CAs anyway.

bmicraft 2 days ago

Sounds likes a surefire way to DDOS the next CA in line (and then all the others), since supposedly they wouldn't be prepared for that kind of traffic since LetsEncrypt is currently the default choice almost everywhere.

mkj 1 day ago

I suspect ZeroSSL might have capacity problems if the entire userbase of letencrypt moved to them in a few days. Letsencrypt are talking about 100 million certs/day in future?

cyberax 2 days ago

Plenty of clients don't have that option. E.g.: Synology NAS, Mikrotik routers.

arianvanp 2 days ago

A 7 day outage seems rather unlikely no?

pilif 2 days ago

In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.

zzyzxd 2 days ago

I am not saying 6 days is long enough, but if your automation always wait until the last minute to renew certs, you may have more issues to worry about than the CA's availability. If I am going to use a cert with 6 days lifetime I will be renewing it at least once a day.

ncruces 2 days ago

Yeah, that conflicts with their rate limits, which I hope they'll revise under this scheme.

https://letsencrypt.org/docs/rate-limits/

For the “exact same set of hostnames” (aka. renewals) the rate limit is 5 certificates every 7 days.

So you could do it every other day, if you can make sure there's only one client doing it.

And they're very clear this is a global limit: creating multiple accounts doesn't subvert it.

So you'll need to manage this centrally, if you have multiple hosts sharing a hostname.

Cerium 1 day ago

If you have multiple hosts the set should not be the same, no? From the linked page the comparison is a set comparison: one host at hosta.example.com and one host at hostb.example.com each with their own cert bot won't conflict.

ncruces 17 hours ago

You never host the same website on two servers?

pilif 2 hours ago

The servers could share the private key and certificate though