One of the bits of recent TLS news is that Let's Encrypt is going to start offering 6-day TLS certificates. When I was thinking about my reaction to this, I realized that we have some unusual concerns that make me more nervous than average about getting Let's Encrypt TLS certificates with such short lifetimes.

I'm not particularly worried about Let's Encrypt's certificate issuance going offline as a whole for five or six days. If that happens, something catastrophic is going on in the overall TLS web PKI ecosystem, and we're just caught up in it (especially if there's lots of other people who are using six-day TLS certificates). Instead I'd be worried about us running into Let's Encrypt's rate limits, because we're in an unusual circumstance: we're one moderate part of a quite large organization (ie, the university as a whole).

When you take a university wide view, there are a lot of people requesting and renewing a lot of (Let's Encrypt) TLS certificates. In the early days of Let's Encrypt we saw issues with their initial rate limits; later, Let's Encrypt changed their rate limits, especially for TLS certificate renewals, and it became basically completely reliable for us to get renewals or new certificates. However, nothing is guaranteed here. The university's overall Let's Encrypt usage could go up enough to run into problems again, or there could be an accident with excessive requests and issuance elsewhere in the university that triggered special Let's Encrypt limitations on our top level domain. We could once again run into rate limit issues, and if we (my group) does, we're not in a position to write to Let's Encrypt on behalf of the entire University of Toronto to ask for an increased rate limit or to get a temporary restriction lifted.

With normal 90 day Let's Encrypt TLS certificates that renew with 30 days to go, we would have plenty of time to deal with this or work around it if it ever happened. We could explore alternate sources of free TLS certificates that support the ACME protocol, or we could go through the processes necessary to get TLS certificates through the university. Since we probably wouldn't be alone, we might even be able to get the appropriate people at the university to write to Let's Encrypt. But with TLS certificates that are only good for 6 days, we most likely have somewhere between not very much time and almost no time to deal with hitting the rate limits and being unable to renew existing Let's Encrypt TLS certificates. If such certificates renew with only two or three days of lifetime left, if we were unlucky the rate limit and then expiry could happen over a long weekend.

Most places likely won't have this sort of concern, even with six day Let's Encrypt TLS certificates. They're not likely to have a high volume of issuance and renewals (especially one that varies unpredictably), or if they do and they run into rate limits, they can coordinate a response across their entire organization (including contacting Let's Encrypt and prioritizing renewals of critical TLS certificates).