Just curious... has anyone so far decided to extend the 3-month certificate expiration deadline? I understand that for the intended use case it makes sense, but in some cases it's an overkill and having a CA support such use case could be useful. There's nothing in the technology itself that prevents us from having certs that expire in, say, a year, right?

Let's encrypt decided for 3 month to force users to automate and avoid the burden of too much user support. They are a no-profit after all.

I believe commercial CA are offering free certificates milted to 3 months for the same reasons, and for the up-selling opportunities.

I think also cloud providers offer free 1 year TLS certificates, but of course you are also using their other services.

cube00

If they insist on keeping the three month limit I wish they'd come up with some better ways to allow you to secure your server.

If you want to use the www auth you need to allow outbound connections to any IP (they specifically won't release the range they use), otherwise you have the DNS option which means giving the server access to modify the DNS records which is also unsafe should the box get compromised.

magicalhippo

With the DNS option the machine doing the request doesn't have to be the machine using the certificate though.

I have a separate machine doing the DNS challenge and the cert is then distributed to the machine needing it.

Technically true for the regular web challenge, but easier with DNS I think.

larntz

I'm doing the same for my personal/home lab stuff. I've been using https://github.com/joohoi/acme-dns for the dns server running on a small vps for all my internal certificates and I haven't had any issues with it.