LetsEncrypt Certificate Issuance Halted (opens in new tab)

(letsencrypt.status.io)

151 pointsPhreaker004y ago56 comments

56 comments

37 comments · 14 top-level

pulse74y ago· 13 in thread

I like Let's Encrypt's free certificates! But I don't like centralization where failure in a centralized service may render millions of websites inaccessible... It is somehow against the spirit of the "inter-net" where many independent networks and computers are connected and work even if some fail...

tlamponi4y ago

ACME is a standardized protocol (RFC8555) and there are more providers than Let's Encrypt, and you can switch transparently. That combined with the standard procedure of renewing a few weeks before the expiration date lets one handle even a total failure rather nicely.

Some other ACME providers I know of:

- ZeroSSL.com

- BuyPass.com

- SSL.com

(most of those provide free certs in some form, but some with limitations and may then ask for money if you want more features).

https://datatracker.ietf.org/doc/html/rfc8555

kouteiheika4y ago

> and you can switch transparently

> ZeroSSL.com

I kinda wish people would stop recommending them. This might have changed, but last time I tried ZeroSSL (~a year ago) it was not RFC 8555 compliant (specifically section 7.3.1), and you were basically supposed to use their own proprietary API to deal with the issue. So you can't always switch transparently.

If you need an alternative use Buypass. Also free, and they're actually RFC 8555 compliant.

3 more replies

pronoiac4y ago

Switching to ZeroSSL helped me when some clients failed to handle the root cert switchover did Let's Encrypt at, what, the end of September? The ZeroSSL root goes waaay back: https://help.zerossl.com/hc/en-us/articles/360058294074-Zero...

jraph4y ago

> you can switch transparently

Unless you use some sort of certificate (authority) pinning.

1 more reply

jayflux4y ago

Certs renew like a month before expiry if using the bot, so it would need to be down a long time before sites became inaccessible. (It was down for 20 mins)

There are also other services that offer this sort of thing, they’re just lesser known.

kenniskrag4y ago

That's why we renew our certs more than one day in advance.

ajsnigrutin4y ago

Some people renew them after someone calls them that the page is inaccessible...

...not naming names, but I can see one above the bathroom sink.

(yes yes, I know, I know...)

cblconfederate4y ago

I assume most people have a cron job to do that. The thing is, if it fails for a number of consecutive times then you won't be able to renew it for a period of time IIRC.

2 more replies

zinekeller4y ago

I mean it still doesn't fully solve the problem, but I've set-up mine so that it connects to both Let's Encrypt and ZeroSSL's certificate chain (with LE getting priority), and considering adding BuyPass into the mix. I know that this isn't the true solution (some proposed a DNS-based system of sending public certificates, which unfortunately can be intercepted if your zone cannot use DNSSEC because your TLD manager didn't bother them).

mschuster914y ago

> But I don't like centralization where failure in a centralized service may render millions of websites inaccessible

Clients are encouraged to renew their certificates a couple of days prior to expiration, precisely to make sure that in the case of a disruption there is still some buffer in time to prevent expired certs being served.

marcan_424y ago

Standard practice is to renew 30 days before expiry. This gives you plenty of time to deal with issues.

foepys4y ago

No problem, since ACME is an open protocol, you can use multiple providers at the same time.

I didn't use them but apparently ZeroSSL and SSL.com issue free certs as well.

the_mitsuhiko4y ago

If only there was a way to use a different CA on renewal!

sebiw4y ago· 3 in thread

This is why most Let's Encrypt clients start renewal some x days before certificate expiration. 'Sall good. ;-)

SahAssar4y ago

I think by default it is 30 days (at least for acme.sh), so you have renewal every two months and a month to fix any issues.

PikachuEXE4y ago

And I generally do it every month in case there are some unexpected issue.

1 more month for me to fix stuff (or wait for fix).

melgafin4y ago

acmed uses 3 weeks (28 days), seems reasonable as well.

2 more replies

geocrasher4y ago· 3 in thread

Lest anyone think that such issues only happen to free providers, check out Sectigo's status page:

https://sectigo.status.io/pages/history/5938a0dbef3e6af26b00...

For context, Sectigo also provides freebies for cPanel customers.

9dev4y ago

They have, like, an incidence every two days? That's utterly disturbing, does anyone actually pay them?

technion4y ago

For political reasons we buy a tonne of their certificates. It's not uncommon that I'll paste a CSR into the interface and just get a quality error like "Unhandled Exception", which basically tells me that they fixed it. Because back when it was Comodo I used to see full page stack traces.

Xylakant4y ago

The blue ones are planned maintenance and reading the contents indicates that it's mostly changes and fixes for the customer-facing UI. It may be a bit excessive to post all of these, but they certainly don't indicate any sort of problematic issue with their software.

wyrm4y ago· 2 in thread

... for less than half an hour.

cheeze4y ago

Spoke too soon? Looks like they halted again.

eloeffler4y ago

Looks like they continued again

1 more reply

ddtaylor4y ago· 1 in thread

I'm fine with the outage LetsEncrypt overall has been great and they should take their time fixing whatever is wrong.

can16358p4y ago

Yup. Great free service. Also this practically would only disrupt new registrations as there is more than enough time window for renewals anyway.

sam0x174y ago· 1 in thread

Things are under a lot of strain today. I noticed AWS lambda went down earlier today for 4 of my clients using completely unrelated stacks in different regions, but AWS status page was all green.

b0afc375b54y ago

Here's a series of comments discussing why status pages are unreliable:

https://news.ycombinator.com/item?id=25213817

Edit:

My main takeaway is that it goes against the human instinct of self preservation (losing one's job, opening the company to lawsuits, status pages being used against you by competitor, etc.)

zinekeller4y ago

I'll be honest, this is still better than some more 'professional' CA issuers which sometimes just stops for a whole day. I hope that day is spent on audits and not like because their update regime doesn't support on-the-fly (or virtually on-the-fly by having two or more signing machines) updates.

LeoPanthera4y ago

Already restarted, was unavailable for 29 minutes. At the time of writing, performance is degraded.

cpach4y ago

AFAICT users of Caddy would not have been affected since Caddy can fallback from one CA to another. Pretty clever!

https://caddyserver.com/docs/automatic-https#overview

ipiz06184y ago

Wow the title got me worried. Luckily it's an outage not a shutdown.

bennyp1014y ago

I guess this really only affects those wanting to get new certificates for new (sub)domains.

For renewals, this is not a problem unless it's down for an extended period of time - and even then there would be time to switch providers. Should be using scheduled updates, and even if not, the email notifications come in on 20 and 10 days, so plenty of time to go and get it renewed.

daniel-s4y ago

The halt happened twice, but only lasted ~25 mins each time. It was back running before the arrival of most of the people that will end up getting to this post.

ThalesX4y ago

I'll be honest, this title worried me a lot more than the Facebook is down one.

chrisMyzel4y ago

Anybody who's affected by this clearly is too late in renewing =)

j / k navigate · click thread line to collapse

56 comments

37 comments · 14 top-level

pulse74y ago· 13 in thread

tlamponi4y ago

Some other ACME providers I know of:

- ZeroSSL.com

- BuyPass.com

- SSL.com

(most of those provide free certs in some form, but some with limitations and may then ask for money if you want more features).

https://datatracker.ietf.org/doc/html/rfc8555

kouteiheika4y ago

> and you can switch transparently

> ZeroSSL.com

If you need an alternative use Buypass. Also free, and they're actually RFC 8555 compliant.

3 more replies

pronoiac4y ago

jraph4y ago

> you can switch transparently

Unless you use some sort of certificate (authority) pinning.

1 more reply

jayflux4y ago

Certs renew like a month before expiry if using the bot, so it would need to be down a long time before sites became inaccessible. (It was down for 20 mins)

There are also other services that offer this sort of thing, they’re just lesser known.

kenniskrag4y ago

That's why we renew our certs more than one day in advance.

ajsnigrutin4y ago

Some people renew them after someone calls them that the page is inaccessible...

...not naming names, but I can see one above the bathroom sink.

(yes yes, I know, I know...)

cblconfederate4y ago

I assume most people have a cron job to do that. The thing is, if it fails for a number of consecutive times then you won't be able to renew it for a period of time IIRC.

2 more replies

zinekeller4y ago

mschuster914y ago

> But I don't like centralization where failure in a centralized service may render millions of websites inaccessible

marcan_424y ago

Standard practice is to renew 30 days before expiry. This gives you plenty of time to deal with issues.

foepys4y ago

No problem, since ACME is an open protocol, you can use multiple providers at the same time.

I didn't use them but apparently ZeroSSL and SSL.com issue free certs as well.

the_mitsuhiko4y ago

If only there was a way to use a different CA on renewal!

sebiw4y ago· 3 in thread

This is why most Let's Encrypt clients start renewal some x days before certificate expiration. 'Sall good. ;-)

SahAssar4y ago

I think by default it is 30 days (at least for acme.sh), so you have renewal every two months and a month to fix any issues.

PikachuEXE4y ago

And I generally do it every month in case there are some unexpected issue.

1 more month for me to fix stuff (or wait for fix).

melgafin4y ago

acmed uses 3 weeks (28 days), seems reasonable as well.

2 more replies

geocrasher4y ago· 3 in thread

Lest anyone think that such issues only happen to free providers, check out Sectigo's status page:

https://sectigo.status.io/pages/history/5938a0dbef3e6af26b00...

For context, Sectigo also provides freebies for cPanel customers.

9dev4y ago

They have, like, an incidence every two days? That's utterly disturbing, does anyone actually pay them?

technion4y ago

Xylakant4y ago

wyrm4y ago· 2 in thread

... for less than half an hour.

cheeze4y ago

Spoke too soon? Looks like they halted again.

eloeffler4y ago

Looks like they continued again

1 more reply

ddtaylor4y ago· 1 in thread

I'm fine with the outage LetsEncrypt overall has been great and they should take their time fixing whatever is wrong.

can16358p4y ago

Yup. Great free service. Also this practically would only disrupt new registrations as there is more than enough time window for renewals anyway.

sam0x174y ago· 1 in thread

Things are under a lot of strain today. I noticed AWS lambda went down earlier today for 4 of my clients using completely unrelated stacks in different regions, but AWS status page was all green.

b0afc375b54y ago

Here's a series of comments discussing why status pages are unreliable:

https://news.ycombinator.com/item?id=25213817

Edit:

My main takeaway is that it goes against the human instinct of self preservation (losing one's job, opening the company to lawsuits, status pages being used against you by competitor, etc.)

zinekeller4y ago

LeoPanthera4y ago

Already restarted, was unavailable for 29 minutes. At the time of writing, performance is degraded.

cpach4y ago

AFAICT users of Caddy would not have been affected since Caddy can fallback from one CA to another. Pretty clever!

https://caddyserver.com/docs/automatic-https#overview

ipiz06184y ago

Wow the title got me worried. Luckily it's an outage not a shutdown.

bennyp1014y ago

I guess this really only affects those wanting to get new certificates for new (sub)domains.

daniel-s4y ago

The halt happened twice, but only lasted ~25 mins each time. It was back running before the arrival of most of the people that will end up getting to this post.

ThalesX4y ago

I'll be honest, this title worried me a lot more than the Facebook is down one.

chrisMyzel4y ago

Anybody who's affected by this clearly is too late in renewing =)

j / k navigate · click thread line to collapse