This takes the American Oligarchy to the next level. Trump is now enabling his billionaire friends plunder another country, no doubt Trump will get a cut of the profits.

We need a way to set multiple SSL certificates with overlapping duration. So if one certificate expires the backup certificate will become active. If the overlap is a couple of months then you have plenty of time to detect and fix the issue.

Having only one SSL certificate is a single point of failure, we have eliminated single points of failure almost everywhere else.

You can do this pretty easily with Let’s Encrypt, to my knowledge. You can request resistance every 30 days, for example, which would give you a ladder of three 90 day certificates.

Edit: but to be clear, I don’t understand why you’d want this. If you’re worried about your CA going offline, you should shorten your renewal period instead.

Do services such as K8S ingress and Azure web apps allow you to specify multiple certificates?

Update: looks like the answer is yes. So then the issue is people not taking advantage of this technique.

I don’t think there’s a ton of benefit to the technique. If you’re worried about getting too close to your certificate expiry via automation, the solution is to renew earlier rather than complicate things with a ladder of valid certs.

There are reasons to do this, just not because of expiry.

The main reason to have multiple certs is so if your host (and cert prov key) is compromised, you can quickly switch to a backup, without first having to sort out getting a new cert issued.

If getting a new cert issued is some sort of thing you need to sort out, as in a process that takes time, you've already missed the target.

If you want a backup system its best if its self contained. When your site is down its easier to just run a single command to copy over a single file in your control instead of depending on an external service.

Exactly. It's not like backup certificate have validity starting at a future date.

> We need a way to set multiple SSL certificates with overlapping duration.

Both Apache (SSLCertificateFile) and nginx (ssl_certificate) allow for multiple files, though they cannot be of the same algorithm: you can have one RSA, one ECC, etc, but not (say) an ECC and another ECC. (This may be a limitation of OpenSSL.)

So if the RSA expires on Feb 1, you can have the ECC expire on Feb 14 or Mar 1.

That's a lot of words coming from people who were against this very idea not that long ago. Before Let's Encrypt existed, 90% of you were violently against the idea. "No, that's not how it's supposed to work." That's how it was.

Also you may have to maintain code bases that don’t use your preferred subset.

And you may have to work with developers who have a different preferred subset.

Exactly!

I use it for my web site where SSR is critical for SEO. For app development I don’t use Nextjs. I think it is designed for web sites (as opposed to web apps) and it is great for this purpose

yep this is how i use it and it has worked out really great...sometimes i wonder what people try to do that they have all these issues

Absolutely agree. Leave well enough alone. If they keep adding features it is only going to get worse.

Zuckerberg doesn’t have a good track record with philanthropy

https://www.cnn.com/2025/04/25/tech/chan-zuckerberg-primary-...

Didn't Meta donate $1m to Trumps bribery fund?

Did that turn out to be a good idea? Hooks are much reviled for a reason!

They're not reviled at all. They make logic encapsulation so much simpler.

Just know that that’s not a universally held opinion!

Look at the desk to the left of the photo. First reported by Business Insider.

The human monitor in the car also appears to be in communication with Tesla's remote safety drivers.