this post was submitted on 02 Dec 2025
446 points (98.9% liked)

Selfhosted

53294 readers
1051 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
446
Decreasing Certificate Lifetimes to 45 Days (letsencrypt.org)
submitted 2 days ago by artiman@piefed.social to c/selfhosted@lemmy.world
188 comments fedilink hide all child comments
 

Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.
This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

(page 3) 50 comments
sorted by: hot top controversial new old
[–] Prove_your_argument@piefed.social 17 points 2 days ago (1 children)

Reducing the valid time will not solve the underlying problems they are trying to fix.

We're just gonna see more and more mass outages over time especially if this reduces to an uncomfortably short duration. Imagine what might happen if a mass crowdflare/microsoft/amazon/google outage that goes on perhaps a week or two? what if the CAs we use go down longer than the expiration period?

Sure, the current goal is to move everybody over to ACME but now that's yet another piece of software that has to be monitored, may have flaws or exploits, may not always run as expected... and has dozens of variations with dependencies and libraries that will have various levels of security of their own and potentially more vulnerabilities.

I don't have the solution, I just don't see this as fixing anything. What's the replacement?

[–] fistac0rpse@fedia.io 14 points 2 days ago (2 children)

clearly the most secure option is to have certificates that are only valid for 30 seconds at a time

[–] fxdave@lemmy.ml 7 points 2 days ago (1 children)

Let's be extra safe. New cert per every request

[–] RheumatoidArthritis@mander.xyz 4 points 1 day ago

Ephemeral diffie-hellman is exactly that, it's part of TLS since I think 1.2

load more comments (1 replies)
[–] Valmond@lemmy.world 12 points 2 days ago* (last edited 1 day ago) (18 children)

And you still can't self certify.

It's cute the big players are so concerned with my little security of my little home server.

Or is there a bigger plan behind all this? Like pay more often, lock in to government controlled certs (already done I guess because they control DNS and you must have a "real" website name to get a free cert)?

I feel it's 50% security 50% bullshit.

Edit: thank you all I will dive down the CA certification rabbit hole now! Have worked in C++ & X509 on the client side so maybe I'll be able to figure it out.

[–] stratself 6 points 2 days ago (1 children)

Technically something like DANE can allow you to present DNSSEC-backed self-signed certs and even allow multi-domain matching that removes the need for SNI and Encrypted Client Hello... but until the browsers say it is supported, it's not

load more comments (1 replies)
load more comments (17 replies)
[–] IronKrill@lemmy.ca 2 points 1 day ago* (last edited 1 day ago) (1 children)

Just skip to the point and make it 1 day

load more comments (1 replies)
[–] MehBlah@lemmy.world 4 points 1 day ago

Just let me know so I can change my crontabs.

[–] cupcakezealot@piefed.blahaj.zone 8 points 2 days ago (2 children)

assuming "rest of the industry" in this context refers to ssl seller lobby.

[–] dan@upvote.au 15 points 2 days ago* (last edited 2 days ago) (6 children)

Yes, this requirement comes from the CA/Browser Forum, which is a group consisting of all the major certificate authorities (like DigiCert, Comodo/Sectigo, Let's Encrypt, GlobalSign, etc) plus all the major browser vendors (Mozilla, Google, and Apple). Changes go through a voting process.

Google originally proposed 90 day validity, but Apple later proposed 47 days and they agreed to move forward with that proposal.

load more comments (6 replies)
[–] atzanteol@sh.itjust.works 9 points 2 days ago (7 children)

It's being deiven by the browsers. Shorter certs mean less time for a compromised certificate to be causing trouble.

https://cabforum.org/working-groups/server/baseline-requirements/requirements/

load more comments (7 replies)
load more comments
view more: ‹ prev next ›