Sujet : Re: 6-day TLS certificates from Let's Encrypt
De : ldo (at) *nospam* nz.invalid (Lawrence D'Oliveiro)
Groupes : comp.miscDate : 13. Dec 2024, 04:02:31
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vjg846$36h24$4@dont-email.me>
References : 1 2 3 4 5 6
User-Agent : Pan/0.161 (Chasiv Yar; )
On Thu, 12 Dec 2024 22:28:30 +0000, Broseki wrote:
On Dec 12, 2024 at 1:07:53 AM EST, "Lawrence D'Oliveiro"
<ldo@nz.invalid> wrote:
When I started using Let’s Encrypt, I found the default setting for
Debian was to check for renewals twice a day. That shocked me a bit,
but I assume they knew what they were doing.
That is an interesting point; I wonder how much load they are really
seeing; the certs I have set to 2 days are all for corporate internal
CAs using ACME not Let's Encrypt, my LE certs are still the default (30
days now?).
All the certs I have any responsibility for are valid for 90 days.
I also wonder if they have any sort of crypto acceleration
going on in the backend to make what I assume to be massive amounts of
requests flow smoothly.
I imagine that checking for the validity of a cert itself can be done
using some less-security-sensitive database without resort to the HSM, so
having to do it 180 times before a renewal is probably not considered
excessive.
6-day TLS certificates from Let's Encrypt
Re: 6-day TLS certificates from Let's Encrypt