Don't assume you can renew TLS certificates whenever you want to

December 19, 2016

We currently have one of our web sites using Let's Encrypt despite us not planning to switch it to a LE certificate. And there lies a short story.

We (collectively) were planning to renew the existing non-LE certificate for this site a week or so in advance of it expiring. But things came up, and renewal slipped, and then suddenly the certificate was expiring in less than 24 hours and it was November 25th.

(November 25th was a normal work day in Canada.)

Did you know that commercial Certificate Authorities get kind of busy on Black Friday, in fact so busy that they're overwhelmed? We certainly didn't (and I'm honestly a little surprised by it), but apparently they do. So we couldn't renew our certificate at our normal CA, and the next CA or two that was tried was overwhelmed too. But Let's Encrypt was humming along fine, and there are self-contained clients that make it entirely trivial to get a one-shot Let's Encrypt certificate.

I don't know if this particular website will stick with Let's Encrypt (which would require setting up a client to automate things) or go back to a one or two year TLS certificate from our normal commercial CA. But I have my suspicions.

The broad moral here is in the title: don't assume that you can renew your TLS certificates whenever you want to, whether they're from Let's Encrypt or a commercial CA. Sure, almost all of the time you can, but things can happen (and not just in the CA; imagine if there is a problem with the credit card that you use to pay for stuff).

PS: Let's Encrypt helps here because you can renew well in advance without any drawbacks, unlike many commercial CAs. Early renewal means that you have lots of time to deal with things going wrong, instead of having to scramble on the last day the way we did. And obviously an automated process helps too, since automation removes the need for people to remember to do things.


Comments on this page:

By Albert at 2016-12-19 05:51:03:

I would start to think of the renewal well more than a week before; it's not necessary to leave everything for the very last minute, as many CA providers will happily accept to renew a certificate even a month or two before expiration, adding the residual time to the new certificate for the same price.

Of course that is if you want to stay with a "normal" CA; let's encrypt gives different options and opportunities.

Written on 19 December 2016.
« The great thing about using Let's Encrypt is the automation
In praise of zpool history »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 19 01:39:23 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.