undefined | Better HN

0 pointsfoepys5y ago0 comments

> domain xyz's certificate is expiring

That's why it's so important not to wait until the end of the 90 day expiration period but to renew it every other week or so.

0 comments

hmaxwell5y ago

is that Let's Encrypt's default behavior?

Symbiote5y ago

The default is to renew when less than 30 days remain, and to check that every day or every week.

nickjj5y ago

And you get the extra benefit of being emailed[0] a few times beforehand if the certificate fails to renew as long you register your account with an email address.

[0]: https://letsencrypt.org/docs/expiration-emails/

tutfbhuf5y ago

Seems like a sane default to me.

2 more replies

tialaramex5y ago

Let's Encrypt is a Certificate Authority, so, it doesn't have any "default behaviour" in respect of renewals, from the CA's point of view "renewing" is just a new issuance that happens to be for an identical subject. Let's Encrypt's rate limiting policies do actually care about that ("Duplicate Certificate Limit" five per week for each subject) but it can't put in place any particular policy about when you must or will renew.

CAs which charge for issuance often have a policy which implies an earliest sensible renewal date, because they will "carry over" remaining time on the previous certificate. There is a practical limit to that, (for example today your "one year" certificate from such a CA can only have up to 398 days until it expires, so renewing two months early won't make sense) because of the Baseline Requirements and/or trust store policies.

But if you're doing client development for ACME, the protocol Let's Encrypt implements for issuance, then yes, they'd tell you that they advise you to begin trying to renew with 30 days left. The EFF's Certbot tool, which a long time ago was just named "letsencrypt" implements this policy as do many other stand alone ACME clients.

j / k navigate · click thread line to collapse