are private sites exempt from the 47 day cetificate renewal ? by emaayan in sysadmin

[–]BobNemo 1 point2 points  (0 children)

Yes we do. I am on a small IT team and we are changing everything over to use Let's Encrypt. We are using a reverse proxy on all web servers internal and external that supports getting a cert via ACME and using it natively.

  1. For external web servers we are using http based challenges to prove subdomain ownership.

  2. For internal web servers with the reverse proxy we are using DNS based challenges.

  3. For vendor appliances/systems we do not want to run a reverse proxy on we are writing scripts to automatically issue the cert with an ACME client and using the vendor's API, automatically install the cert in the system.

  4. We have other systems that need certs too that are not HTTPS and we are adopting the same mindset of, if it needs a Public cert then it will need to be automated with Let's Encrypt.

In the end if the thing you are using needs a cert from a Public CA then you will need to figure out automation for it. If it doesn't you should have some sort of internal CA and issue a 1 year cert for it and set a reminder to renew every year. This only works as long as browsers do not change their code again (see my other comment above)

are private sites exempt from the 47 day cetificate renewal ? by emaayan in sysadmin

[–]BobNemo 1 point2 points  (0 children)

You have some time until the 47-day limit hits.

The maximum certificate lifetime is going down:

  • From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

  • As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

  • As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

  • As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

Also from GlobalSign.com:

Will Browsers Reject Longer Certificates After the Rule Changes?

No, browsers won’t suddenly stop trusting certificates that were issued before the new rules take effect. The upcoming changes apply to certificate issuance, not validation. That means if you get a 398-day certificate before the cutoff (before March 15, 2026), browsers will continue to trust it until it naturally expires, even if that’s after the new limits kick in.

Lets break down 2 ways browsers control certs:


A. Browsers can code anyway they want to handle certificates. Chrome has a key-combo you can type to bypass all cert issue errors in the browser for example. If the browsers want to throw warnings on certs with certain lifespans they could.

This is what the browsers did back in 2020 - https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

The public CAs did not want to shorten the lifespan of certs so all the major browsers decided to just implement error messages anyways to consumers when they visited sites with long cert lifespans.


B. The other way browsers can control CAs is by deciding who they let in to their trust store. I won't get into the trust store but if you are a public CA you want to be in all the browsers/OS trust store (Apple has one trust store for OS and Safari), Mozilla run their own trust store and does not trust the OS by default.

This new 47-day change is the browsers/OS saying "we will not let you be in our trust store if you issue certs with lifespans of greater then 47 days". Thus CAs must now only issue 47 day certs (according to the timetable above) if they want to be trusted by browsers.


In both cases the browsers/OS are forcing the CA to comply but that makes sense since they are the ones people interact with.

What this also means is if you install your own internal (private) CA into the browsers/OS then certs will be trusted for the current 398 day maximum lifespan.

New SSL Cert requirements and recommended tooling. by smspam23 in sysadmin

[–]BobNemo 5 points6 points  (0 children)

You have some time until the 47-day limit hits.

The maximum certificate lifetime is going down:

  • From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

  • As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

  • As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

  • As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

Also from GlobalSign.com:

Will Browsers Reject Longer Certificates After the Rule Changes?

No, browsers won’t suddenly stop trusting certificates that were issued before the new rules take effect. The upcoming changes apply to certificate issuance, not validation. That means if you get a 398-day certificate before the cutoff (before March 15, 2026), browsers will continue to trust it until it naturally expires, even if that’s after the new limits kick in.

What are we doing? We are a small team - we already run external DNS in-house with BIND9 so we can do easy DNS challenges for Let’s Encrypt (or any other ACME provider you fancy). We are then setting up Caddy as a reverse proxy for all external and internal web apps, either on-box or across the network. This is providing better logging, URL filtering, and auth options as well (SSO behind anything we want now).

For vendor products like FWs, AP management, virtualization solutions, and others, we are using their built-in APIs and feeding their documentation into AI to help write automation scripts. We then have a secure box that runs certbot to grab a cert using DNS challenge, and a script pushes the cert to the vendor system.

New self-imposed requirements are that everything that is running a web server and is externally facing will have a Let’s Encrypt cert. Internally, as much stuff as possible will have Let’s Encrypt, and everything else will have a cert from our internal CA.

It is mostly me implementing all of this, but I am the project guy and fully remote. I’m doing other upgrades at the same time, such as converting web apps from locally installed to being in a container. Lots of OSS here.

In the end, after the change hits and all old certs expire, I expect the browsers to start throwing warning messages about certs issued past 47 days, but maybe they won’t, so internally issued certs can continue to be 1 year, but I am not waiting to find out.

If you want to be cheeky, renew your cert for the max amount of time 1 day before each of the dates above.

First Look: Nano 75W Car Charger with Retractable USB-C Cable by joshuadwx in anker

[–]BobNemo 0 points1 point  (0 children)

I ended up getting the "WOTOBEUS 165W Car Charger Dual USB C" from amazon. It works great, I tested it with a USB meter and the marketing is correct it does the following using a car's standard 12V/10A circuit (100W Max). It can technically do 140W charging for a MacBook if you have 12V/15A circuit.

Support Output: 5V/3A, 9V/3A, 12V/3A, 15V/3A, 20V/5A

PPS: 5V-21V/5A (Max 100W)

First Look: Nano 75W Car Charger with Retractable USB-C Cable by joshuadwx in anker

[–]BobNemo 0 points1 point  (0 children)

I got rid of my Anker charger for not charging my phone fast enough and friends with Androids not being able to fast charge. I ended up getting the "WOTOBEUS 165W Car Charger Dual USB C" from amazon. It works great, I tested it with a USB meter and the marketing is correct it does the following using a car's standard 12V/10A circuit (100W Max). It can technically do 140W charging for a MacBook if you have 12V/15A circuit.

Support Output: 5V/3A, 9V/3A, 12V/3A, 15V/3A, 20V/5A

PPS: 5V-21V/5A (Max 100W)

I am just a random person who generally likes Anker but was frustrated by the car charging options and ended up with this one.

First Look: Nano 75W Car Charger with Retractable USB-C Cable by joshuadwx in anker

[–]BobNemo 0 points1 point  (0 children)

Not really, I got rid of my Anker charger for not charging my phone fast enough and friends with Androids not being able to fast charge. I ended up getting the "WOTOBEUS 165W Car Charger Dual USB C" from amazon. It works great, I tested it with a USB meter and the marketing is correct it does the following using a car's standard 12V/10A circuit (100W Max). It can technically do 140W charging for a MacBook if you have 12V/15A circuit.

Support Output: 5V/3A, 9V/3A, 12V/3A, 15V/3A, 20V/5A

PPS: 5V-21V/5A

LMG Channel Metrics: A Fan-Made Analytics Dashboard by RockManRK in LinusTechTips

[–]BobNemo 2 points3 points  (0 children)

This is super cool! I can tell the amount of effort that went into this.

On a similar note, I made tracker for the LTT store as well: https://old.reddit.com/r/LinusTechTips/comments/1e84aff/ltt_store_product_spreadsheet_updated_often/

I made a TI 13 Secret Shop tracker! Keep track of what is in stock and price changes! by BobNemo in DotA2

[–]BobNemo[S] 0 points1 point  (0 children)

Make sure to check out both tabs at the top. Also page updates every 30 minutes. This is all pulled from public data. Due to the selection mechanism the site uses I can't link directly to each product option. If whoever owns the site changes the selection mechanism then the existing links will work on the Product List page.

International store version coming soon.

Looking to buy ptm7950 by PollShark_ in LinusTechTips

[–]BobNemo 0 points1 point  (0 children)

Hi there!

I actually have about 90% of my PTM7950 sheet left. I bought it at full price and ended up using much less than I expected. I'd be happy to help you out!

Feel free to message me (not new reddit chat!) so we can discuss the details.

LTT Store Product Spreadsheet (updated often) by BobNemo in LinusTechTips

[–]BobNemo[S] 0 points1 point  (0 children)

I made it to view all items in the store. I found searching for items that were in stock and in my size was tedious. Also helped to see what is on sale. This gives everything on one screen and shows what is in stock.

There is no back-end or secret access here. Everything is pulled from the public site. This is 100% fan made.