I’ve seen several people complain about the upcoming 47-day maximum lifetime for web certificates. The concern is that such a short lifetime will make certificate renewal a hassle.

I believe this perspective comes from those who are accustomed to older practices. If you aren’t already using ACME, now is the time to adopt it. With Let’s Encrypt rolling out 7-day certificates it is feasible to maintain short certificate lifetimes thus limiting the potential damage from a certificate compromise. Many vendors including Proxmox have built-in ACME support which works by leveraging APIs from DNS services like Cloudflare or Amazon’s Route 53 to obtain certificates without exposing anything directly to the internet.

For systems lacking ACME support, you can use software like ACME.sh or Lego to fetch certificates. From there you can use SCP (or any other file copy protocol) to deploy them to a device. Alternatively, you can use a reverse proxy like Caddy, Nginx, or HAproxy to handle TLS so that you don’t have to deploy certificates to every device.