On Wed, 8 Mar 2017 14:00:11 +0100 Jeroen Massar <[email protected]> wrote:
> Indeed, the moving parts of Lets Encrypt are not so much fun. What if, > LE goes down for a few days because somebody DDoSses them to > nowhere... lots of unhappy websites there will be. If your ACME implementation is somewhat smart a few days shouldn't be an issue. You certainly shouldn't request a new cert just before the old one expires. What you should do is to request a new cert with a reasonable timeframe before your old one expires (one could probably argue forever what a reasonable timeframe is, but I'd say something between 10 and 30 days). If it doesn't work because LE is down retry a bit later. There's however a related issue with OCSP and OCSP stapling, which is more critical and generally a big mess, because the OCSP stapling implementation in apache and nginx is horrible and they show no interest in fixing it. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
