If you're so against free SSl's with an option for shorter half life you could use a paid alternative? Not sure I understand your grip with a free service
By half-life do you mean the point at which you decide to renew the certificate prior to its actual expiry? Couldn’t you as a matter of policy decide to do this at, say 45 days, even with a cert that lasts for a year? If so, then the change to 99 day expiry isn’t giving you any more options or flexibility, it’s actually removing it.
"We really want to make sure you have automation, so certificate lifetimes have been reduced to 36 seconds; accounting for RTT and, in our generosity, time for a single timeout/retry" /s
Let it be my problem, please. I'll even use certbot or whatever is in fashion, just find another knob to turn [or don't].
90 days has always seemed unnecessarily long to me. I have definitely spun up short-lived pages on subdomains that end up getting a cert that outlives the site itself.
I am concerned at how the cert transparency logs will handle this. That’s going to be a lot of certs getting logged globally if everyone switches to shorter lifetimes.
Let me guess, next year they become mandatory.
Next thing you know, they'll find a way to require that your web server link their dynamic shared object.
Then another year later you'll need a let's encrypt kernel module too.
If you're so against free SSl's with an option for shorter half life you could use a paid alternative? Not sure I understand your grip with a free service
By half-life do you mean the point at which you decide to renew the certificate prior to its actual expiry? Couldn’t you as a matter of policy decide to do this at, say 45 days, even with a cert that lasts for a year? If so, then the change to 99 day expiry isn’t giving you any more options or flexibility, it’s actually removing it.
Free services are not immune to valid criticism, although I do think they are going a bit too far.
+1
"We really want to make sure you have automation, so certificate lifetimes have been reduced to 36 seconds; accounting for RTT and, in our generosity, time for a single timeout/retry" /s
Let it be my problem, please. I'll even use certbot or whatever is in fashion, just find another knob to turn [or don't].
Probably 47 days mandatory maximum, hopefully by 2029.
90 days has always seemed unnecessarily long to me. I have definitely spun up short-lived pages on subdomains that end up getting a cert that outlives the site itself.
I am concerned at how the cert transparency logs will handle this. That’s going to be a lot of certs getting logged globally if everyone switches to shorter lifetimes.