Do the 90-day hostname certs offer any advantage over the 1-year hostname certificates?

[horizon2021]

I miss the 1-year cpanel/whm hostname certs.

All of a sudden this month I now have two servers which are having trouble fetching their free cpanel/whm hostname certificates. One has the issue where three days in a row it fails getting it from the setigo store and the other has the issue for a few weeks now where it says it will fetch it 3 days before expiration which is cutting it close for my comfort. (and has triggered a warning email every day that the hostname cert will expire in less than 30 days.)

I never had trouble with this before since cpanel started issuing the free hostname certificates some years ago.

I also notice now that the duration has now been reduced from 1-year down to 90 days.

Does this reduction in ssl cert duration offer us any practical security advantage?

 

[kodeslogic]

Yes, sectigo has cut down the validity of the hostname SSL to 90 days.

 

[horizon2021]

Yea, bummer I guess. I wonder if there is any practical advantage?

It seems to have overstrained the infrastructure at the moment, and the frequency sure compounds any errors.

Before with 3 cpanel/whm servers, that was 3 possible problems a year if something didn't happen correctly with the renewals. Now with the cut down validity, that's 12 possible problems a year. Which based on the last week of issues, is kind of annoying.

I don't know, but if we get to ssl certs that have to be renewed more and more frequently, at some point this will become a nightmare of trying to make sure it works before something expires. Hopefully the sectigo issues are resolved soon, but boy, I miss the 1-year hostname certificates that worked without issue and without so many chances for an issue.

I wonder what the real-world issue was with the 1-year certificate that was solved with this additional work to more frequently renew?

 

[cPRex]

I think the explanation is "servers change a lot, so why keep it valid for a year" - as to the "why" behind that, I can't say for certain since that was a Sectigo decision.

 

[horizon2021]

I guess one fear is that previously a cert could outlive the domain registration so if someone has a cert for hosting1.cpanel-super-host.com and then cpanel-super-host.com goes out of business and someone else registers the domain and creates a new cert, someone might have the cert still for the old hosting1.cpanel-super-host.com and could use that for a man in the middle attack. This feels pretty unlikely to me though to cause so much inconvenience.

On the flip side, I've been accustomed to using SSL certificates as a second factor to be sure I'm connecting to the correct server and nothing fishy is going on like a dns hijack, etc. So if I get an alert in my client software that the cert is not recognized because it has changed, I manually investigate each time before connecting. So if the cert was not known by my client software, I'd manually check that the cert's fingerprint matched what it should be. Before that would happen 1 time per year per server when we had the 1-year certs. Now it will be happening every 3 months or less per server, which is almost constantly it feels like.

Also I liked in the past when an email was sent when the server hostname certificate renewed so I knew if it changed, that it was intentional by the cpanel updater. Now it looks like no such email is sent by whm so it's just going to be a surprise when the hostname cert is updated, unless it errors.

 

[ffeingol]

I think the explanation is "servers change a lot, so why keep it valid for a year"

Pretty much the opposite of what I think every host wants. Set up a server and use it (as much as possible) until it dies or the OS goes EOL.

 

[cPRex]

I'm not saying agree with the 90-day plan, but I believe it's more about reputation than actual length of quality of service.

Let's say I'm a company and I issue an SSL for one year. That server or hostname expires, or gets moved, or *something* changes. Then my security company's name is attached to a certificate or domain that may not be working properly. Let's only validate that for 90 days and check in more often to ensure that doesn't happen as much and that the security itself actually means something.

That's the best explanation I've been given.

 

[ffeingol]

Not a lot of votes, but now that Sectigo host certs are only good for 90 days, makes sense to be able to use Let's Encrypt certs Letsencrypt autorenew support for root / server hostname

 

[horizon2021]

I guess if there continues to be Sectigo renewal issues like this past month, I can always (for now) purchase a 1-year certificate for each hostname and install it manually like in the old days.

Let's only validate that for 90 days and check in more often to ensure that doesn't happen as much and that the security itself actually means something.

I could see that from the cert store's perspective, since they make $0 from these free certs too.

In terms of an ssl certificate meaning something, as the duration gets shorter and shorter, I find myself wondering what exactly do they mean? In the past, I relied on the cert being unchanged to tell a mail client for example that it was not being tricked into connecting to the wrong server somehow... it was a manual process where if the certificate remained the same, all was good, and if it changed without notice, check ssl cert fingerprint to make sure all is good before sending mail login credentials.

Now that the cert will change so frequently, I don't think I can use a cert like this to identify that it's "the same server". So I guess I rely more heavily on sectigo being "untrickable".

Before the burden was on me to verify any change; now I have to rely 100% on sectigo - if sectigo issues the short term validity cert, trust it.