undefined | Better HN

0 pointsmcherm1d ago0 comments

There is one little-discussed down side to ever shorter-lived certificates...

0 comments

Letsencrypt is not the only acme authority. ZeroSSL is the other popular one. There are others.

ZeroSSL offered for free 3 single name certificates. The next plan was $180 yearly.

Actalis offered unlimited single name certificates. Why are ZeroSSL more popular?

Google offered unlimited certificates with multiple names and wild cards. But they required a GCP account seemingly. It would require to give Google personal information, a phone number, and automatic payment permission. And Google not disable your account because your spouse uploaded images for your child's doctor.

All others I saw charged for each certificate.

dizhn15h ago

It's popular because Caddy uses it. I am not sure if it's default or just an option though.

devrand1d ago

If you're using ACME to handle certificate rotation, can't you just configure multiple providers?

pseudalopex1d ago

https://news.ycombinator.com/item?id=48071607

Analemma_1d ago

Only if you’re reissuing right before expiration, which is a stupid thing to do. If you have a 47-day cert, best practice is to reissue on day 30, meaning LE would need to be down for more than two weeks before anything went wrong.

If this outage breaks your system, that’s entirely on you, not Let’s Encrypt.

eqvinox1d ago

Short-lived = 6 days. Even if you reissue after 2 or 3 days, that's… not a lot of breathing room.

striking1d ago

You have to opt in, and they are honest about the tradeoffs when discussing them:

> Short-lived certificates are opt-in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime. We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well.

https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...

2 more replies

bakies1d ago

3-4 days is a ton of breathing room

rconti1d ago

You're holding your 6-day cert wrong

bakies1d ago

Chill, it's 2 hours. They recommend renewing at the first third of the 160 hrs.

cachius1d ago

Thought that was the iPhone 6

jameshart1d ago

Useful context: https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...