On Wed, Jun 11, 2025 at 5:08 AM Y Peng <[email protected]> wrote: > > We have a Debian server that can connect to the internet in the test > environment. We installed a free Let's Encrypt SSL certificate while > connected to the internet. However, after deploying this server to the > production environment, it is subject to strict network isolation and > cannot access the internet. Will the Let's Encrypt certificate remain > valid for a long time if it cannot access the internet?
The "valid for a long time" part is a sharp edge. It is expected to change from 2 years to 6 days. The 6-day certificates are called "short-lived", and are intended to help with revocation, keep CRLs small and make it easier to recover from a compromise. See <https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/> and <https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/>. There are related problems with short-lived certificates. Mainly, the current implementation of ACME protocol on all the major distros breaks key continuity schemes. Key Continuity turned out to be a better security property than gratuitous Key Rotation, but the lessons got lost on the web folks. Jeff
