On 2017-03-08 14:19, Hanno Böck wrote: > On Wed, 8 Mar 2017 14:00:11 +0100 > Jeroen Massar <[email protected]> wrote: > >> Indeed, the moving parts of Lets Encrypt are not so much fun. What if, >> LE goes down for a few days because somebody DDoSses them to >> nowhere... lots of unhappy websites there will be. > > If your ACME implementation is somewhat smart a few days shouldn't be an > issue. > You certainly shouldn't request a new cert just before the old one > expires. What you should do is to request a new cert with a reasonable > timeframe before your old one expires (one could probably argue forever > what a reasonable timeframe is, but I'd say something between 10 and 30 > days). If it doesn't work because LE is down retry a bit later.
10-30 days functions now, but they want to reduce it to a lot less (10 days is one version).... lots of fun one day ;) > There's however a related issue with OCSP and OCSP stapling, which is > more critical and generally a big mess, because the OCSP stapling > implementation in apache and nginx is horrible and they show no > interest in fixing it. And then add the headers to DNS for TLSA, and wait for TTLs to expire etc. Anything Crypto is horrible ;) Greets, Jeroen _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
