Don't assume you can renew TLS certificates whenever you want to
We currently have one of our web sites using Let's Encrypt despite us not planning to switch it to a LE certificate. And there lies a short story.
We (collectively) were planning to renew the existing non-LE certificate for this site a week or so in advance of it expiring. But things came up, and renewal slipped, and then suddenly the certificate was expiring in less than 24 hours and it was November 25th.
(November 25th was a normal work day in Canada.)
Did you know that commercial Certificate Authorities get kind of busy on Black Friday, in fact so busy that they're overwhelmed? We certainly didn't (and I'm honestly a little surprised by it), but apparently they do. So we couldn't renew our certificate at our normal CA, and the next CA or two that was tried was overwhelmed too. But Let's Encrypt was humming along fine, and there are self-contained clients that make it entirely trivial to get a one-shot Let's Encrypt certificate.
I don't know if this particular website will stick with Let's Encrypt (which would require setting up a client to automate things) or go back to a one or two year TLS certificate from our normal commercial CA. But I have my suspicions.
The broad moral here is in the title: don't assume that you can renew your TLS certificates whenever you want to, whether they're from Let's Encrypt or a commercial CA. Sure, almost all of the time you can, but things can happen (and not just in the CA; imagine if there is a problem with the credit card that you use to pay for stuff).
PS: Let's Encrypt helps here because you can renew well in advance without any drawbacks, unlike many commercial CAs. Early renewal means that you have lots of time to deal with things going wrong, instead of having to scramble on the last day the way we did. And obviously an automated process helps too, since automation removes the need for people to remember to do things.
Comments on this page:Written on 19 December 2016.