[Ach] bettercrypto.org certificate has expired today

Terje Elde terje at elde.net
Wed Mar 8 16:04:39 CET 2017


> On 08 Mar 2017, at 14:19, Hanno Böck <hanno at hboeck.de> wrote:
> 
> What you should do is to request a new cert with a reasonable
> timeframe before your old one expires (one could probably argue forever
> what a reasonable timeframe is, but I'd say something between 10 and 30
> days).

Renewal is a common problem.  Is this something that the guide should spend a few words on?


My experience in my own circles, have mostly been that it’s not too hard to get consensus that appropriate time is something like:

How long it will take you to notice that cert is approaching limit. (24 hours?)
 + However long it will take you to replace manually using plan A. (a day?)
 + However long it will take you to replace manually using plan B (manually order from alternative CA for example) (a week?)
 + How however long it will take to cycle new cert into production, accounting for things like DNS TTLs, having Apps put through approval at App Store, or whatever might be required) (2-14 days, depending?)
 + Margins (two weeks?)

That should land you somewhere between 25 and 37 days, depending, for a *comfortable* margin to replace.

Point is just that it’s very easy for those with less experience at running systems to forget about things like detection time, planning for having to go to a plan B for a new certs, planning in margins, and so on.  Easy to slip up.

Terje



More information about the Ach mailing list