Hacker News new | past | comments | ask | show | jobs | submit login

Is there a detour here or is using letsencrypt reliant on these apis?

https://medium.com/enigma-shards/lets-encrypt-uptime-and-ope...




You need the API up; that's how it works.

However, should you fail to renew a cert, your script should just keep retrying until the API is back and you should allow enough time for it to fail. I believe most clients renew certs ~10 days in advance.

Obviously if you're relying on getting a new cert to bring up something like a preview environment or to hand out your own subdomains, this will result in a downtime/delay in provisioning, but most people would be fine with a single wildcard and never really experience a problem, as long as their script runs and they keep it reasonably up-to-date.


> I believe most clients renew certs ~10 days in advance.

The recommendation and the time certbot uses is 30 days.


I've heard 10 days before, possibly older documentation?


Based on the reminder emails they've sent me, they recommend renewing when one-third of the current cert's validity is remaining. That is, 1 month for their 3-month certs.


What is the problem with attempting the renewal every day?

It will predictibly fail until D-30,and then there will be 30 attempts to renew (in case something went wrong firth the 1st,2nd etc attempt)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: