| Deutsch English Français Italiano |
|
<vjg846$36h24$4@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Lawrence D'Oliveiro <ldo@nz.invalid> Newsgroups: comp.misc Subject: Re: 6-day TLS certificates from Let's Encrypt Date: Fri, 13 Dec 2024 03:02:31 -0000 (UTC) Organization: A noiseless patient Spider Lines: 24 Message-ID: <vjg846$36h24$4@dont-email.me> References: <877c85reae.fsf@example.com> <20241212.001223.a7feaecb@mixmin.net> <vjdanm$1potb$1@dont-email.me> <1810487515d7ada1$4727$2365644$4296dcc3@news.newsgroupdirect.com> <vjdujp$20g9u$2@dont-email.me> <18108e79d782ae50$8633$1734$4286dcd3@news.newsgroupdirect.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Fri, 13 Dec 2024 04:02:31 +0100 (CET) Injection-Info: dont-email.me; posting-host="4a9fda4f27bd8b0b5de8f91ee282534a"; logging-data="3359812"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/XCtSHy7QymQXAVtkfLfnf" User-Agent: Pan/0.161 (Chasiv Yar; ) Cancel-Lock: sha1:DlZcXGFESp0Ge6ldXA8kNDEulbQ= Bytes: 2193 On Thu, 12 Dec 2024 22:28:30 +0000, Broseki wrote: > On Dec 12, 2024 at 1:07:53 AM EST, "Lawrence D'Oliveiro" > <ldo@nz.invalid> wrote: > >> When I started using Let’s Encrypt, I found the default setting for >> Debian was to check for renewals twice a day. That shocked me a bit, >> but I assume they knew what they were doing. > > That is an interesting point; I wonder how much load they are really > seeing; the certs I have set to 2 days are all for corporate internal > CAs using ACME not Let's Encrypt, my LE certs are still the default (30 > days now?). All the certs I have any responsibility for are valid for 90 days. > I also wonder if they have any sort of crypto acceleration > going on in the backend to make what I assume to be massive amounts of > requests flow smoothly. I imagine that checking for the validity of a cert itself can be done using some less-security-sensitive database without resort to the HSM, so having to do it 180 times before a renewal is probably not considered excessive.