Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

cross-posted from: https://piefed.social/c/selfhosted/p/1529215/decreasing-certificate-lifetimes-to-45-days

Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.

This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

  • El Weoñ Isekai
    1·
    1 day ago

    No me manejo mucho con estos temas pero en Chile venden algún certificado similar que sea permanente o dure mas tiempo? Por que el .pem que me entrega Certbot tengo que convertirlo a .jks para un sistema que lo necesita :S

    • veniasilenteEnglish
      2·
      12 hours ago

      Si generas tu propio certificado puedes ponerle que dure 99999 días. Pero en estos días renovar un certificado en LE es completamente autónomo (siempre que tu reserva de dominio y tu correo estén funcionando bien), así que no tiene sentido ya trabajar con certificados autofirmados a menos que necesites generar certificados en un sistema completamente aislado de internet.

    • Fean DoeA
      2·
      12 hours ago

      En el caso del https, puedes renovarlo automáticamente con nginx o con certbot y nunca tendrás que preocuparte o feddit se caería a cada rato

      No sé si habrán lugares que te den por más días, pero antiguamente los certificados eran caros y con let’s encrypt ya son gratis. Ya veo que en un futuro hacen que las renovaciones automáticas sean con alguna suscripción 😭

    • vsisOP
      1·
      12 hours ago

      Ningún certificado TLS es permanente, pero algunos duran años. Depende del proveedor.

      Certbot tiene post-hooks donde puedes correr scripts arbitrarios. Ahí puedes hacer cosas como convertir el certificado nuevo automágicamente

        --post-hook POST_HOOK
                        Command to be run in a shell after attempting to
                        obtain/renew certificates. Unless --disable-hook-
                        validation is used, the command’s first word must be
                        the absolute pathname of an executable or one found
                        via the PATH environment variable. Can be used to
                        deploy renewed certificates, or to restart any servers
                        that were stopped by --pre-hook. This is only run if
                        an attempt was made to obtain/renew a certificate. If
                        multiple renewed certificates have identical post-
                        hooks, only one will be run. (default: None)