Delay deployment of certificates to mitigate client’s clock issues #8456
Labels
area: cert management
area: install
feature request
needs-update
priority: unplanned
Work that we believe should be done, but does not have a higher priority.
According to this study there is a non-negligible number of clients who have certificate errors because of their misconfigured clock. The study gives the numbers of 6.7% of clients whose the clock is more than 24h late and 0.05% whose the clock is more than 24h ahead (see part 7.1 of the study and figure 4).
If I’m not mistaken, the notBefore attribute of Let’s Encrypt certificates is one hour before the current hour, probably to mitigate clock issues. Instead of proposing a change of the notBefore attributes of LE certificates (this is perhaps imposed by CA/Browser Forum or other security rules), this feature request proposes to improve the quality of the renewal process of certificates issued by certbot by delaying the deployment of renewed certificates to mitigate much more clock issues.
Currently the newly-renewed certificate is deployed immediately. With this new scenario the newly-renewed certificate would be delayed a few days (e.g. 5 days) before being deployed and becoming active, obviously if the previous certificate is still valid during this delay (and a bit more to take into account clients whose the clock is ahead).
The delay should be configurable and should be zero by default to keep the current scenario and to force sysadmins to consciously activate this delay, given it could be not expected.
The text was updated successfully, but these errors were encountered: