Re: I understand
LE certs are meant to be automated, so renewals are not an issue. In theory a 1 day validity period could work however for practical reasons they need to be a little longer.
If you are manually installing a LE cert then the problem is that you are doing it wrong. Sitiations where automatic provisioning and renewal isn't practical is where other CAs fill the gap, as they can manually verify legitimacy and issue a certificate that can be manually installed on for example a non-internet-reachable device. I agree that in these situations a 2 or 3 year cert should be allowable, however as there is no distinction between automated validation and manual this is hard to differentiate at a technical level. Perhaps this is where EV certificates could see a use, with the assumption that EV was deliberate and intentional and verified whilst a non-EV cert can be assumed to have been automated at some point and therefore have a lower trust level?
In case anyone is wondering, LE wanted the shortest validity time to reduce risks with temporary hijacks or expired/sold domains but compromised on 60 day renewals to reduce load, with a 30 day grace period to allow for temporary outages and other intermittent failures.
It is also beneficial for automated renewals if it breaks sooner rather than later, because if your renewal script is broken then finding out sooner is far better than finding out after 12 months when everyone involved has either moved on or forgotten about the project. You also get an email if renewals fail before the cert actually expires to give you time to rectify the fault, which is only useful BECAUSE you do not get email notifications unless something is broken. In an ideal world a LE cert would be valid for say 1 week when first issued to pick up on problems sooner, with a renewal on say day 5 which then gives you a normal 3 month cert. But, this increases technical complexity.