Comment by pilif
2 days ago
In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.
2 days ago
In average half of the certs would expire in half of the time. A 3.5 days sustained DDoS attack would cause half of the sites using a 6 day certificate to be offline.
I am not saying 6 days is long enough, but if your automation always wait until the last minute to renew certs, you may have more issues to worry about than the CA's availability. If I am going to use a cert with 6 days lifetime I will be renewing it at least once a day.
Yeah, that conflicts with their rate limits, which I hope they'll revise under this scheme.
https://letsencrypt.org/docs/rate-limits/
For the “exact same set of hostnames” (aka. renewals) the rate limit is 5 certificates every 7 days.
So you could do it every other day, if you can make sure there's only one client doing it.
And they're very clear this is a global limit: creating multiple accounts doesn't subvert it.
So you'll need to manage this centrally, if you have multiple hosts sharing a hostname.
If you have multiple hosts the set should not be the same, no? From the linked page the comparison is a set comparison: one host at hosta.example.com and one host at hostb.example.com each with their own cert bot won't conflict.
2 replies →