DEV Community

James Miller
James Miller

Posted on

Let’s Encrypt Is Going to 45-Day Certs. Will Your Ops Survive?

#encryption #webdev #devops #ssl

Let’s Encrypt just announced a major change: by 2028, their TLS/SSL certificate validity will be cut in half again—from 90 days down to 45 days. This isn’t a random policy flip; it’s part of the CA/Browser Forum’s new baseline requirements that every public CA will have to follow.

From a security perspective, the move makes sense: shorter lifetimes mean a smaller blast radius if a private key is compromised and less reliance on revocation. From an ops perspective, though, the message is clear:

If your automation isn’t solid, your life is about to get harder.

This post breaks down what’s changing, why it matters, and what realistic options you have—from hardening ACME automation to using longer-lived commercial DV certs via the ServBay Store.

What’s Actually Changing?

According to the Let’s Encrypt announcement, the shift to 45-day certs will roll out in stages:

  • May 13, 2026tlsserver ACME profile switches to 45-day certs (opt-in, for early adopters / testing).
  • February 10, 2027 – The default classic profile moves to 64-day certificates with a 10-day authorization reuse period.
  • February 16, 2028classic is updated again to 45-day certificates with just 7 hours of authorization reuse.

In other words:

  • The maximum cert lifetime keeps shrinking.
  • The time window during which domain authorization can be reused also shrinks dramatically.

If you’re using ACME with automatic renewals and robust monitoring, this might be fine. If not, things get rough fast.

Why Shorter Lifetimes? (And Why It Still Hurts Ops)

Let’s Encrypt lists three main motivations:

  1. Better security – Shorter lifetimes reduce the time an attacker can use a stolen key.
  2. More effective revocation – Revocation systems become less critical if compromised certs naturally age out quickly.
  3. Industry compliance – All publicly trusted CAs must follow the same baseline rules.

All of that is true. But if you’re operating real systems, you feel the downsides first.

Ops Reality: More Renewals, More Failure Modes

If your stack still relies on semi-manual processes, this change is a wake-up call.

1. Renewal Frequency Just Doubled (Again)

A lot of older setups do something like:

renew every 60 days for a 90-day cert
0 3 */60 * * certbot renew

That already leaves a thin margin. For 45-day certs, a 60-day cron is a guaranteed outage.

Baseline rule of thumb:

  • Renew at ~2/3 of the cert lifetime.
  • For a 45-day cert, that means renewing around day 30.

Anything hard-coded longer than that is a time bomb.

2. ARI: Let the CA Tell You When to Renew

Let’s Encrypt introduced ACME Renewal Information (ARI) so clients no longer guess when to renew. The CA can say:

“This specific certificate should be renewed starting at time X.”

If your ACME client supports ARI, enable it:

  • You get CA-guided renewal timing.
  • Easier to avoid renewal storms or attempting too early/too late.

If your client doesn’t support ARI yet, you’ll need to:

  • Shorten your renewal interval.
  • Ensure retries + monitoring are in place when renewal fails.

3. Manual Renewals Are Basically Dead

If you’re still:

  • Requesting certs via UI.
  • Downloading them.
  • SCP-ing them to servers.
  • Manually reloading services.

…you’re going to burn out trying to keep up with 45-day cycles. Even if you’re diligent, you’re:

  • Doubling (then tripling) the number of manual operations.
  • Increasing chances of human error.

At this cadence, manual renewal is no longer a viable long-term strategy.

DNS-PERSIST-01: A Friendlier Future for DNS Challenges

ACME today has three main challenge types:

  • HTTP-01
  • TLS-ALPN-01
  • DNS-01

DNS-01 is powerful (works behind CDNs, for wildcard certs, etc.) but it forces you to:

  • Grant your ACME client write access to DNS via API keys.
  • Depend on your DNS provider’s API and uptime.

To address that, Let’s Encrypt and others are working on DNS-PERSIST-01:

  • You set a static DNS TXT record once.
  • That record can be reused for future validations.
  • No need to constantly mutate DNS on every renewal.

The target is sometime in 2026, and it should make fully automated, low-friction renewals much more accessible—especially for teams that can’t or won’t hand over DNS write permissions to a script.

Automation Isn’t Magic: Where Things Break

Even with ACME + ARI + better challenge types, real-world systems still fail in messy ways:

  • Fragile environments

    • OS upgrades, package changes, or breaking updates to the Python environment can cause Certbot or other ACME clients to silently fail.

  • Security trade-offs

    • To auto-manage DNS, you often store high-privilege API keys on servers.
    • A compromise of that box can lead to DNS takeover and domain hijacking.

  • Complex architectures

    • Hybrid setups with CDN, reverse proxies, internal services, and multiple load balancers make cert distribution and reload logic non-trivial.
    • Writing and maintaining robust deploy scripts is a non-trivial engineering task.

  • Short reuse windows

    • With authorization reuse windows crashing down to 7 hours, any hiccup in DNS / network / API availability can cause a batch of renewals to fail.
    • Now your uptime is partially at the mercy of third-party APIs and network stability.

If you have the time and staffing, you can engineer your way out of these constraints. Many teams don’t.

When “Just Buy a Cert” Starts to Make Sense

If you:

  • Don’t want to maintain fragile ACME pipelines.
  • Don’t want to babysit DNS APIs.
  • Don’t want to wake up in the middle of the night to fix expired certs.

…then paying for longer-lived DV certs can be the saner economic choice.

ServBay Store: Developer-Centric DV Pricing

ServBay, best known as a local dev environment manager, recently launched a store aimed specifically at developers and small teams:

  • Free pool:
    • 1,000 × 1‑year DV SSL certificates, based on a trusted CA root.
    • Each user can claim 1, to secure a production or staging domain for a full year.
  • Low-cost subscriptions:
    • Single-domain DV: $2.99/year
    • Wildcard DV: $39/year

Compare that to the typical $30–$100+ per single-domain and $150–$300+ per wildcard from many traditional providers. For freelancers, small studios, or startups, that price point is a big deal.

You can browse current offerings via the ServBay store.

Why It’s Appealing as a “Plan B”

For many teams, a hybrid strategy makes sense:

  • Use Let’s Encrypt/ACME where:

    • You’ve invested in robust automation.
    • Failure is tolerable (non-critical services, internal tools).

  • Use 1-year DV certs where:

    • Downtime is unacceptable (checkout pages, core APIs, login portals).
    • Complexity is high and automation is fragile.

Instead of treating commercial DV as “overpriced legacy,” ServBay’s pricing effectively turns them into affordable stability insurance.

What You Should Do Now

Even though 2028 feels distant, this isn’t something ops teams can ignore until the last minute. A practical checklist:

  1. Audit current renewal flows

    • How often do certs renew?
    • Are intervals hard-coded (e.g., 60 days)?
    • Where are failures logged and monitored?

  2. Enable ARI if possible

    • Check your ACME client’s docs for ARI support.
    • Let the CA tell you when to renew, not a static cron.

  3. Reduce manual touchpoints

    • If you’re still hand-uploading certs, prioritize automating your highest-value domains first.

  4. Track DNS-PERSIST-01 progress

    • If you rely heavily on DNS-01, this challenge type could simplify your life significantly once supported.

  5. Decide which domains deserve long-lived DV

    • Identify mission-critical endpoints that justify a 1‑year DV cert.
    • Consider using a provider like the ServBay store for cost-effective coverage.

Conclusion

The move to 45-day certificates is part of a broader, irreversible trend toward shorter TLS lifetimes. Security wins—but only if your automation is solid enough not to turn these rules into an uptime nightmare.

For many developers and small/medium teams, the sweet spot will be a hybrid approach:

  • ACME + Let’s Encrypt + ARI where automation is mature.
  • 1‑year DV certs from a developer-friendly provider for high-value or fragile parts of the stack.

If you haven’t looked at your certificate automation in a while, now is the time. The ground is shifting, and the sooner you adapt, the less painful 2027–2028 will be for your ops, your users, and your sleep schedule.

Top comments (1)

Collapse
 
ravavyr profile image
Ravavyr

If you have auto-renewals enabled and a cron that checks it daily.... why would this be an issue at all?