2016-12-19
Don't assume you can renew TLS certificates whenever you want to
We currently have one of our web sites using Let's Encrypt despite us not planning to switch it to a LE certificate. And there lies a short story.
We (collectively) were planning to renew the existing non-LE certificate for this site a week or so in advance of it expiring. But things came up, and renewal slipped, and then suddenly the certificate was expiring in less than 24 hours and it was November 25th.
(November 25th was a normal work day in Canada.)
Did you know that commercial Certificate Authorities get kind of busy on Black Friday, in fact so busy that they're overwhelmed? We certainly didn't (and I'm honestly a little surprised by it), but apparently they do. So we couldn't renew our certificate at our normal CA, and the next CA or two that was tried was overwhelmed too. But Let's Encrypt was humming along fine, and there are self-contained clients that make it entirely trivial to get a one-shot Let's Encrypt certificate.
I don't know if this particular website will stick with Let's Encrypt (which would require setting up a client to automate things) or go back to a one or two year TLS certificate from our normal commercial CA. But I have my suspicions.
The broad moral here is in the title: don't assume that you can renew your TLS certificates whenever you want to, whether they're from Let's Encrypt or a commercial CA. Sure, almost all of the time you can, but things can happen (and not just in the CA; imagine if there is a problem with the credit card that you use to pay for stuff).
PS: Let's Encrypt helps here because you can renew well in advance without any drawbacks, unlike many commercial CAs. Early renewal means that you have lots of time to deal with things going wrong, instead of having to scramble on the last day the way we did. And obviously an automated process helps too, since automation removes the need for people to remember to do things.
The great thing about using Let's Encrypt is the automation
When I started using TLS certificates from Let's Encrypt, the obvious attraction was that the certificates were free. I could have certificates for as many different names as I wanted and I'd never have to worry about either the cost or the whole mechanical hassle of paying for them.
(You'd think that TLS certificate vendors would make it really easy to give them money either for new certificates or to renew ones you already have. In my limited experience, this is not the case; the one vendor's website I had to use seemed deliberately designed to make the process hard and opaque.)
It's funny that I should mention 'hassle', because that's turned out to be the great thing about switching my certificates over to Let's Encrypt. The only thing that's a hassle with Let's Encrypt is picking out a LE client and getting it set up properly on your system (I recommend acmetool). Once you've done that the LE and client automation takes over, everything just works, and you can stop even thinking about it.
(One of my TLS certificates renewed yesterday and the only reason I know is that I go out of my way to monitor our certificate expiry times, so I saw that site's time jump back to 90 days.)
Up until Let's Encrypt came along, both getting renewed certificates and deploying them was a hassle; the last time I went through it for our sites was basically a day of work. A properly operating Let's Encrypt client setup turns both into things that you can entirely forget about because it all just works and keeps on working with no by-hand care or attention. This is a great thing, since grinding through all of this by hand is just pointless work.
One somewhat subtle appeal of this automation is that it also basically removes the need to carefully keep track of and worry about certificate expiry times. Your monitoring system should still watch this, just in case, but you no longer need a note in your calendar about 'certificate X needs to be renewed now' and you don't need to worry about what happens if it slips through the cracks.
(The appeal of LE's automation is sufficiently great that it's started to make my co-workers enthused about switching to Let's Encrypt. We're okay with paying money for certificates, more or less, but we all really like the idea of never having to worry about certificate expiration or do work to roll over certificates.)