Six Days Certificates With Let’s Encrypt and Caddy

Let’s Encrypt has just announced that short-lived¹ certificates are generally available. They can also be used for IP addresses, which is especially useful for DNS over HTTPS. Those certificates could be smaller in the future, if information for validity checks is omitted. However, for now at least, these certificates still include revocation information.

Using Those New Certificates With Caddy

I wanted to give those certificates a try with Caddy. Caddy needs to use the shortlived Let’s Encrypt profile. The profile feature isn’t explicitly mentioned in the docs, but some community posts use a profile directive. This also works in the global configuration:

{
	cert_issuer acme {
		profile shortlived
	}
}

Reloading the Caddy configuration was not enough to prompt an early renewal, so I deleted the underlying certificate files and restarted Caddy:

sudo rm -rf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com
sudo systemctl restart caddy

And I got a brand new certificate for my domain name, valid only for a few days. It’s marginally smaller² than with the classic profile, mostly because these short-lived certificates also use the new generation hierarchy. But they should be roughly the same size as the tlsserver profile.

Conclusion

With Caddy, certificate renewal should be automated enough that short-lived certificates don’t cause any problems. But I’ll see with this experiment if there are any surprising pain points.

My understanding is that browsers only cache TLS sessions, not certificates: when a full handshake is performed, the full certificate chain is then sent anyway³. So even if the certificate expires more frequently, it is not sent more often. The slightly smaller certificate chain is thus a small net benefit.