Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.
This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.
YES! Keep cutting it down!
Revocation is a lost cause and if you don’t automate you deserve what you get.
I have multiple self hosted services at home which are impossible to automate because they are not accessible from the internet without VPN. And some even don’t have internet access. Still me and my roommates are using them through a valid domain that points to the local address enabling https. Some services require https to function at all. After log4j i’ll never again open a “normal” port 80 or 443 to my local net. So thanks i guess. 90 days was annoying already. Great it works out for you
Dude, you need to figure out a way to automate that. It’s no way to live.
I agree, but it’s impossible to convince my less tech savy roommates and friends to let me install a root certificate. “That sounds like i could read all their private messages”, lol. Just let me have my certificate for https in my local net. I don’t need to be “even more” secure. I get that that’s necessary for public services, but surely not for local selfhosting. I don’t even have a port open other than wireguard. And i would not even care “if a roommate hacks/gets access to a guests voice commands for home assistant.” (Not complaining at you but at this trend. I do think my use case is valid)
You are gonna laugh if i tell you how i partly automated this workaround. A script changes the (dyn) dns entries of all subdomains to point to my public server in a datacenter. There, it ssh’s in and requests the certificates with certbot. Then, it restores the dns entries and downloads and installs the certificates in the local net. Still requires manual supervision and sometimes intervention. My domains do not support automated dnssec. I don’t have time to secure my local net enough to feel good about opening ports. If all certificate lifetimes get shorter, i’ll either have to switch my domain provider or give up selfhosting for other people.
Can you not issue your own certificate? I guess it depends on how many devices and what types of devices need to connect. It’s be a one time effort per device (importing your own self signed cert) versus one time effort per service per X days.
I did that for myself a few years back. But i can’t convince my roommates, let’s not even speak of guests, to install a (my) root certificate. My android phone still complains about “possibly supervised network traffic” since back when i installed my root ca. Maybe there is another solution im not aware of, but i can’t think of any