← Back to context

Comment by bflesch

1 day ago

This sounds like a very good thing, like a lot of stuff coming from letsencrypt.

But what risks are attached with such a short refresh?

Is there someone at the top of the certificate chain who can refuse to give out further certificates within the blink of an eye?

If yes, would this mean that within 6 days all affected certificates would expire, like a very big Denial of Service attack?

And after 6 days everybody goes back to using HTTP?

Maybe someone with more knowledge about certificate chains can explain it to me.

22 comments

bflesch

Reply
iso1631  1 day ago

With a 6 day lifetime you'd typically renew after 3 days. If Lets Encrypt is down or refuses to issue then you'd have to choose a different provider. Your browser trusts many different "top of the chain" providers.

With a 30 day cert with renewal 10-15 days in advance that gives you breathing room

Personally I think 3 days is far too short unless you have your automation pulling from two different suppliers.

  • bflesch  1 day ago

    Thank you, I missed the part with several "top of the chain" providers. So all of them would need to go down at the same time for things to really stop working.

    How many "top of chain" providers is letsencrypt using? Are they a single point of failure in that regard?

    I'd imagine that other "top of chain" providers want money for their certificates and that they might have a manual process which is slower than letsencrypt?

    • mholt  1 day ago

      LE has 2 primary production data centers: https://letsencrypt.status.io/

      But in general, one of the points of ACME is to eliminate dependence on a single provider, and prevent vendor lock-in. ACME clients should ideally support multiple ACME CAs.

      For example, Caddy defaults to both LE and ZeroSSL. Users can additionally configure other CAs like Google Trust Services.

      This document discusses several failure modes to consider: https://github.com/https-dev/docs/blob/master/acme-ops.md#if...

    • cpach  1 day ago

      “Are they a single point of failure in that regard?”

      It depends. If the ACME client is configured to only use Let’s Encrypt, then the answer is yes. But the client could fall-back to Google’s CA, ZeroSSL, etc. And then there is no single point of failure.

      18 replies →