[Ach] bettercrypto.org certificate has expired today

Hanno Böck hanno at hboeck.de
Wed Mar 8 14:19:36 CET 2017

On Wed, 8 Mar 2017 14:00:11 +0100
Jeroen Massar <jeroen at massar.ch> wrote:

> Indeed, the moving parts of Lets Encrypt are not so much fun. What if,
> LE goes down for a few days because somebody DDoSses them to
> nowhere... lots of unhappy websites there will be.

If your ACME implementation is somewhat smart a few days shouldn't be an
You certainly shouldn't request a new cert just before the old one
expires. What you should do is to request a new cert with a reasonable
timeframe before your old one expires (one could probably argue forever
what a reasonable timeframe is, but I'd say something between 10 and 30
days). If it doesn't work because LE is down retry a bit later.

There's however a related issue with OCSP and OCSP stapling, which is
more critical and generally a big mess, because the OCSP stapling
implementation in apache and nginx is horrible and they show no
interest in fixing it.

Hanno Böck

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

More information about the Ach mailing list