Let's Encrypt Decreasing Certificate Lifetimes to 45 Days

Joe · December 2, 2025, 6:32am

Virtualmin will, of course, change its default renewal schedule to accommodate this change.

Azr · December 2, 2025, 9:20am

sad , but I hope the auto-renew feature will still be on

Joe · December 2, 2025, 4:13pm

Nothing sad about it. It doesn’t matter how often it needs to renew. They’re free. You just get a new one before it expires.

Stegan · December 2, 2025, 4:22pm

just one more thing to check then we will get used to it and forget.
“30 days, which will be reduced to 7 hours” is a massive change, even if is over 3 years

CTS · December 2, 2025, 4:26pm

Can always ask for a refund

Joe · December 2, 2025, 4:26pm

That’s the domain authorization time (how long they believe you own the domain you’re requesting a cert for), not the cert. Nothing wrong with that change, either.

Stegan · December 2, 2025, 4:39pm

oK mis read/mis understood, not really worried, but as said just one more thing to check that it has happened, then forget. Tx for the heads up and for looking out for us.

ID10T · December 2, 2025, 6:07pm

This will OVER RIDE current settings so we lazy admins do nothing?

jimdunn · December 3, 2025, 1:50am

I’ll be asking Ilia for the “command-line command” again… : )

So, are they shortening the time because hackers are breaking their certs in 90 days?

Joe · December 3, 2025, 2:21am

They explained why in the blog post in the third sentence.

creeble · December 5, 2025, 2:11pm

For those paranoid about LE cert renewal, here a portion of a script that I run daily in crontab:

foreach (@domains) {
        my $old_expire = read_file("/tmp/$_.last-expire", err_mode => 'carp', chomp => 1);
        my $cur_expire = `cat /home/$_/ssl.cert |openssl x509 -noout -enddate`;
        $cur_expire =~ s/notAfter=//;
        my $cur_exp_time = str2time($cur_expire);
        if ($opt_p) {
                print("$_:\t$cur_expire\n");
        }
        if ($cur_exp_time > str2time($old_expire)) {
                # cert updated
                unless ($old_expire eq undef) {  # i.e., not first time
                        $msg = "Subject: $_ CERT UPDATED\n\nOld expire: $old_expire\nCurrent expire: $cur_expire\n";
                        if ($_ eq 'somespecialname') {
                                `/usr/sbin/service dovecot restart`;
                                `/usr/sbin/postmap -F hash:/etc/postfix/sni_map`;
                                `/usr/sbin/service postfix restart`;
                                $msg .= "Restarted dovecot, postfix!\n";
                        }
                        mail($msg);
                }
                write_file("/tmp/$_.last-expire", $cur_expire);
                next;
        }

        if ($cur_exp_time < time()) {
                # cert expired
                # warn()
                mail("Subject: $_ CERT EXPIRED!!!\n\nOld expire: $old_expire\nCurrent expire: $cur_expire\n");
                next;
        }
}

‘somespecialname’ isn’t really used any more, but there was a time when I needed to restart dovecot et al before it would recognize the cert.

teners · December 7, 2025, 4:46am

We all want a saver and more secure internet, and more importantly:

2028 is quite a while ahead too.

system · December 27, 2025, 4:47am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.