mrmarkuz
January 20, 2026, 4:15pm
1
Lets encrypt supports short lived certs, see 6-day and IP Address Certificates are Generally Available - Let's Encrypt @capote who informed me.
Just for fun I tried it with traefik and it worked.
Edit traefik.yaml:
runagent -m traefik1 nano traefik.yaml
Add profile: shortlived to use the shortlived profile:
...
certificatesResolvers:
acmeServer:
acme:
profile: shortlived
email: null
...
Restart traefik to apply config:
runagent -m traefik1 systemctl --user restart traefik
Now when requesting an LE cert, it is short lived and expires after 6 days so you’ll get a warning that the cert expires immediately
1 Like
LayLow
January 20, 2026, 5:08pm
2
And what is the practical usage if I may ask?
1 Like
I was thinking “Oh, goody.”
dan
January 20, 2026, 7:03pm
4
It doesn’t have to contain revocation information (like CRL info), so it can be smaller. You can also issue certs for IP addresses under this profile. If you don’t need a cert for an IP, there probably isn’t any real benefit.
I’d be more interested in a switch to the tlsserver profile, since I think that’s where they’re heading in any event–the CN field is gone, it uses the new roots, it doesn’t include the tlsclient EKU.
1 Like
dan
January 21, 2026, 11:02am
5
Note that there seems to be a bug in Traefik that prevents profiles from being used on cert renewal–it looks like that’s fixed somewhere in the 3.6 series, but NS8 is currently using 3.5.1:
opened 10:00AM - 24 Dec 25 UTC
closed 01:50PM - 05 Jan 26 UTC
area/acme
kind/bug/confirmed
contributor/wanted
### Welcome!
- [x] Yes, I've searched similar issues on [GitHub](https://github… .com/traefik/traefik/issues) and didn't find any.
- [x] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
### What did you do?
I'm using LetsEncrypt `profile: shortlived` since it is generally available. To test it, I triggered a cert by deleting my old cert from acme.json and reloading Traefik. I got a shiny 160h cert (~6.7 days) and adjusted the `certificatesDuration` as well (for auto renewal).
When it came to automatic renewal, I unexpectedly got a default profile (90 days) cert again. I'd expect to continue getting shortlived until I switch profile again.
I'm not an expert, but when I look at the `provider.go → renewCertificates(ctx context.Context, renewPeriod time.Duration)` (lines 903++) function I see these options:
```
opts := &certificate.RenewOptions{
Bundle: true,
PreferredChain: p.PreferredChain,
}
```
There is no profile! I'd expect something like:
```
Profile: p.Profile,
```
I may be wrong, but to me it seems like this was forgotten. Note that the first cert order has a different codepath, so the bug only occurs on renewals.
### What did you see instead?
see above
### What version of Traefik are you using?
3.6.5
### What is your environment & configuration?
```yaml
certificatesResolvers:
letsencrypt:
acme:
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: redacted
storage: /acme.json
tlsChallenge: true
profile: shortlived
certificatesDuration: 160
keyType: 'EC256'
```
Add more configuration information here.
### If applicable, please paste the log output in DEBUG level
_No response_
2 Likes
dan
January 23, 2026, 12:34pm
6
More information about the available certificate profiles:
A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt subscribers, you should never have to worry about...
2 Likes
