However with LE we now have certificates that are valid for 3 months. If we are unable to renew a certificate the HSTS header becomes an issue. In fact IMO the HSTS header should shorten by the days until the certificate is renewed to avoid this.
The issue I have is that all these "security" tests (that customers run) will moan that an HSTS is shorter than 6 months and deduct heavily from a score.
What are your opinions on the HSTS header and how do you deal with it if you are using LE?
There's a few ways to solve this:
Option 0) accept that in the case of a long enough LE outage[1], you'll be able to find another certificate issuer, or the carnage will be enough that HSTS is turned off in a browser update. Or it's related to some event in which you're going to be majorly disrupted anyway (you mentioned sanctions), and websites are not high on the priority list of concerns.
Option 1) detect the security testers and serve them an HSTS max-age that satisfies them, but serve other user-agents a max-age that satisfies you.
Option 2) serve 6 month HSTS on / which is used for tests; server something else on other resources. Also make sure / includes references to other resources that won't be cached. Last header served to the user-agent wins.
[1] I think most LE clients try to automatically renew once a day starting at 1 month away from expiration? so a one month outage is sufficient. There are other no-cost ACME issuers, and some ACME clients can be configured to have a priority list of issuers, so if your preferred option doesn't work, you can use another one.
If there's a crisis that means you can no longer use LE, you can just buy a valid cert from another provider andlive up to what you were telling on hsts that way.