@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.

And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.

⤋ Read More