These short certificate lifetimes make Let's Encrypt a central point of failure for much of the Internet. That's a concern. Failure may be technical or political, too.
There are other free ACME-based providers, so switching should be fairly painless if needed. (I guess if you've issued CAA records or similar, you may need some manual intervention.)
You can have more than one CAA record, so it should be possible to configure backup certificate authorities. It's probably a good idea to do that for important sites.
I don't actually think Cloudflare runs an ACME Certificate Authority. They just partner with LetsEncrypt? Edit: Looks like they don't run any CA, they just delegate out to a bunch of others https://developers.cloudflare.com/ssl/reference/certificate-...
Doesn't matter. This is a push by the CA/Browser Forum. Google, Mozilla, and all the CAs got together and said, "hey, what if we just made certificates shorter because we're too stupid to figure out a revocation mechanism that actually works other than expiration." They've tried this shit before, but saner heads prevailed. This time they did not.
Can you explain how shorter certificate lifetimes make LE more of a single point of failure? I can squint and see an argument for CA diversity; I struggle to see how reducing certificate lifetimes increases CA centralization.
Shorter lifetimes means more renewal events, which means more individual occasions in which LE (or whatever other cert authority) simply must be available before sites start falling off the internet for lack of ability to renew in time.
We're not quite there yet, but the logical progression of shorter and shorter certificate lifetimes to obviate the problems related to revocation lists would suggest that we eventually end up in a place where the major ACME CAs join the list of heavily-centralized companies which are dependencies of "the internet", alongside AWS, Cloudflare, and friends. With cert lifetimes measured in years or months, the CA can have a bad day and as long as you didn't wait until the last possible minute to renew, you're unimpacted. With cert lifetimes trending towards days or less, now your CA really does need institutionally important levels of high availability.
Its less that LE becomes more of a single point of failure than it is that the concept of ACME CAs in general join the list of critically available things required to keep a site online.
> would suggest that we eventually end up in a place where the major ACME CAs join the list of heavily-centralized companies which are dependencies of "the internet"
I think that particular ship sailed a decade ago!
> Its less that LE becomes more of a single point of failure than it is that the concept of ACME CAs in general join the list of critically available things required to keep a site online.
Okay, this is what I wanted clarified. I don't disagree that CAs are critical infrastructure, and that there's latent risk whenever infrastructure becomes critical. I just think that risk is justified, and that LE in particular is no more or less of a SPOF with these policy changes.
Because when they eventually get their wet dream of 7-day renewals, everyone replies upon them once a week. LE being down for 48-hours could take out a big chunk of the Internet.
Certificates have historically been a "fire and forget" but constant re-issuance will make LE as important as DNS and web hosting.
FWIW, we're acutely aware of the operational risks of super short lifetimes and frequent renewals. That's why our `shortlived` profile is clearly documented as only being appropriate for orgs that have high operational maturity and an oncall rotation. We carry pagers too, and if LE goes down for 48 hours, we'll be desperately trying not to take out a huge chunk of the Internet.
The longer certificates were valid the more often we'd have breakage due to admins forgetting renewal, or how do install the new certificates. It was a daily occurrence, often with hours or days of downtime.
Today, it's so rare I don't even remember when I last encountered an expired certificate. And I'm pretty sure it's not because of better observability...
Oh for sure. This is stupid policy by an organization with no accountability to anyone, that represents the interests of parties with their own agendas.
I don't think it's that venal: the CABF holds CAs accountable, largely through the incentives of browsers (which in turn are the incentives of users, mediated by what Google, Microsoft, Apple, and Mozilla think is worth their time). That last mediation is perhaps not ideal, but it's also not a black hole of accountability.
Agreed. We need a second source, preferably located in the EU. They could share operational code/protocols/etc. I.e. during peace time they could collaborate.
The EU started building the Galileo GNSS ("GPS") in 2008 as a backup in case the US turned hostile. And now look where we are in 2025 with the US president openly talking about taking Greenland. Wise move. It seemed like a gigantic waste back then. It was really, really expensive.
Then lots of European countries ordered F35s from Lockheed Martin. What an own goal. This includes Denmark/Greenland.
> We need a second source, preferably located in the EU.
Absolutely. It feels like a matter of time before the current US administration will attempt to implement some authoritarian policy regarding certificates.
I'm seeing this hot take a lot but it doesn't make sense. Are people worried than LE is going to have a 45 day outage or something? ACME is an open standard with other implementations so I'm having trouble seeing the political central point of failure too.
It's okay for something to be a good thing and to celebrate it. We don't have to frown about everything.
Yeah, doesn't the ACME bot defaults have it trying to renew the cert when it has like 30% of its life time left? Which means the CA would have to be down for Days/Weeks fo it to impact production.
Oh and you would definitely know about this outage because you would hear about it in your news, and the monitoring you already have set up to yell at you when you cert is about to retire (you already have that right? Right?). And you can STILL trivially switch to another CA that supports ACME.
I am at the point of looking forward to it. The CA/B is so unhinged and so unaccountable and the appetite to fix it is so small, a broad scale collapse of the Internet caused by the CA/B's incompetence is looking like the only way to finally end their regime.
