Update SSL Cert Expiration Warning #8227
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement best practices suggested by Let's Encrypt: Certs >= 10 days of validity - suggest renewal after 2/3 of validity has lapsed Certs < 10 days of validity - suggest renewal after 1/2 of validity has lapsed Revise warning message to clarify the cert is due for renewal, not necessarily imminently expiring (translations still need updating)
![windsurf-bot[bot]](https://avatars.githubusercontent.com/in/1066231?s=60&v=4){kind=small}
Co-authored-by: windsurf-bot[bot] <189301087+windsurf-bot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #8196
Over the coming years, the Browser CA Baseline Requirements require shorter and shorter certificate validity periods. see: https://cabforum.org/working-groups/server/baseline-requirements/requirements/ s.6.3.2.
As such, expiration warnings should not be static in length. Instead they should adapt based on a certificate's overall validity. Let's Encrypt has published guidance on this issue: https://letsencrypt.org/docs/integration-guide/#when-to-renew
This PR changes the certificate expiration warning to a "due for renewal" warning and implements logic that applies Let's Encrypts guidance. i.e.,
For short lived certificates (< 10 days of validity) the warning is issued after 50% of the validity has lapsed.
For all other certificates (>= 10 days of validity) the warning is issued after 66.6% of the validity has lapsed.
TODO: Translations needed to be updated.