Upcoming Changes to Let's Encrypt Certificates

Posted by schmuckonwheels 12/15/2025

Upcoming Changes to Let's Encrypt Certificates(community.letsencrypt.org)

321 points | 322 commentspage 3

jcims 12/15/2025|

I used to be knee deep in PKI stuff, now I hardly pay attention.

Two quick questions:

1 - Are there any TLS libraries that enable warnings when certs are nearing expiration?

2 - Are there any extensions in the works (or previous failed attempts) for TLS to have the client validate the next planned certificate and signal both ends when that fails?

ekr____ 12/15/2025|

To the best of my knowledge the answer to "2" is no.

jcims 12/16/2025||

I did a bunch of work with Verisign as a contractor back in the early 2000s and got to see some of the systems and infrastructure issuing a good portion of the world's certificates at that time. 15 years later I was at Google when they let an intermediate certificate in their SMTP certs expire and had a major GMail outage. At work last week we had a major outage related to certificate issues. Of course there are thousands upon thousands of stories like that in between.

The chains of trust you can build with PKI have been incredibly useful and instrumental to securing code, data and traffic, but the fact that it's still subject to such brittle failure modes is bemusing.

lousken 12/15/2025||

I am not sure how I feel about this solution. It is already painful to deal with certs on every single piece of IT equipment. Unless you create and manage your own CA and manage it, which is an extra burden, what is the point of this? This will only create more janky scripts and annoyances for very little benefit.

What's next? Enforcing email signing with SMIME or PGP?

PunchyHamster 12/15/2025||

The whole thing is very silly security wise anyway.

Okay, so you cert leaked. Will having it leaked for 1.5 months be substantially less dangerous than 90 days? Nope, you're fucked from the day one, it's still massively worse than "a browser asynchronously checks whether site's cert has been revoked"

maltris 12/16/2025||

Wondering: Is there a good tool for centralized ACME cert management when one runs a large infrastructure, highly available, multi location where it makes little sense to run the ACME client directly on each instance or location?

cpach 12/17/2025|

Haven’t tried it myself, but this one looks interesting: https://certifytheweb.com/

kmeisthax 12/15/2025||

Let's Encrypt, you're not even a for-profit business; there's nobody you need to shield the blow from. Just say "we're reducing certificate lifetimes to comply with CA/Browser Forum rules". You don't need to do the cowardly "replace lower with change" in the headline thing.

danparsonson 12/15/2025||

The announcement is about several changes they're making, not just about cert lifetimes.

victorbjorklund 12/15/2025||

That does not make any sense. Plenty of things on the internet are Open Source / Non-profit yet it affects us a lot. Of course it’s good to give people relying on your stuff heads-up etc.

wizzwizz4 12/15/2025||

GP is criticising the use of language in the headline, not the fact there's an announcement.

b112 12/15/2025||

Plus, the announcer is standing in front of a hedge.

I'm not sure why, but every corporate picture I've seen of someone, in this context, is standing in front of a hedge. Seems to be a California thing?

(Where I live, we only have leaves on hedges 6 months of the year)

asadotzler 12/15/2025|||

It's "let's not take your picture inside of the office because everyone hates the inside of offices. let's take your picture outside instead, near the office, but not featuring the office. oh, that tree over there is nice, but darn, the lighting underneath its branches isn't great. hey, that hedge over there reads great in light test and it works with what you're wearing, so, yeah, that'll do just fine."

mcpherrinm 12/15/2025||

It was actually outside of my small apartment with bad lighting

tptacek 12/15/2025|||

The announcer, Matthew McPherrin, is a frequent commenter here (and a stand-up person deeply involved with information security).

h43z 12/15/2025||

Did I understand that correctly that I will be able to get a certificate for an IP?

phasmantistes 12/16/2025|

Yep! Should be available to the general public (as long as you're using an ACME client that can be configured to request a specific profile) later this week.

pabs3 12/16/2025||

When are we going to get certificates signed by multiple vendors?

cpach 12/17/2025|

What would the benefit be?

_jzlw 12/15/2025|

[flagged]