← Back to context

Comment by iso1631

2 months ago

If LE goes down for a week you can't deploy new certs, but your existing ones will work, as you renew them a few weeks before expiry anyway

That also gives you enough time to change to get your certs from elsewhere

As you mention zerossl exista, and I think google GCM will give you free certs too.

Globalsign has an ACME interface for paying customers, although I'm told it has issues (you have to rotate keys manually every X days / N certificates)

2 comments

iso1631

Reply
DaSHacka  2 months ago

> If LE goes down for a week you can't deploy new certs, but your existing ones will work, as you renew them a few weeks before expiry anyway

Assuming certificate expiration times remain over 7 days per certificate.

  • iso1631  2 months ago

    There's no (current) plans to drop below 45 day certificates with an expected renewal with 2 weeks to go.

    I agree if cert lifetimes drop towards week long then it becomes problematic. A sensible thing at that point is to ensure you can issue certificates from different CAs on different underlying stacks, in the same way you use multiple DNS servers