Re: Question about letsencrypt certs

To: Y Peng <hi@ypeng.info>
Cc: debian-user@lists.debian.org
Subject: Re: Question about letsencrypt certs
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 11 Jun 2025 12:52:19 -0400
Message-id: <[🔎] CAH8yC8=XQ6xvMoHU7LMa0+TufmKrxazXQ7fLqZ-U11ZR1JS1-g@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] 0869e560dc907a404dfd385a43176588@ypeng.info>
References: <[🔎] 0869e560dc907a404dfd385a43176588@ypeng.info>

On Wed, Jun 11, 2025 at 5:08 AM Y Peng <hi@ypeng.info> wrote:
>
> We have a Debian server that can connect to the internet in the test
> environment. We installed a free Let's Encrypt SSL certificate while
> connected to the internet. However, after deploying this server to the
> production environment, it is subject to strict network isolation and
> cannot access the internet. Will the Let's Encrypt certificate remain
> valid for a long time if it cannot access the internet?

The "valid for a long time" part is a sharp edge. It is expected to
change from 2 years to 6 days. The 6-day certificates are called
"short-lived", and are intended to help with revocation, keep CRLs
small and make it easier to recover from a compromise. See
<https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/> and
<https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/>.

There are related problems with short-lived certificates. Mainly, the
current implementation of ACME protocol on all the major distros
breaks key continuity schemes. Key Continuity turned out to be a
better security property than gratuitous Key Rotation, but the lessons
got lost on the web folks.

Jeff

Reply to:

References:
- Question about letsencrypt certs
  - From: Y Peng <hi@ypeng.info>

Prev by Date: Re: Famous libva error: vaGetDriverNameByIndex() failed with invalid VADisplay, driver_name = (null)
Next by Date: Re: seeking new laser printer
Previous by thread: Re: Question about letsencrypt certs
Next by thread: Re: seeking new laser printer
Index(es):
- Date
- Thread