The time has come...to renew some Let's Encrypt SSL certificates! Doesn't seem like 90 days has passed since I originally wrote about trying out Let's Encrypt as a service to generate free, trusted SSL certificates with a limited lifespan (90 days versus the more commercially-focused 1-3 years).
Of course, due to multiple reasons I waited until the very last minute to do a renewal. Technically by UTC time, I think one of the certs actually had properly expired, but it's for one of my other vanity domain names so would have been noticed by nobody.
As I'd used the sslforfree service to originally generate the certificates, and since I'd created an account (not required) at the same time, the service saved my information and kindly sent me an email about five days in advance of the expiration (roughly a week). As I'd taken no action, I received another set of reminders within 48 hours of the certificates' expiration.
It was the last set of reminders that forced me to act. It's good to know that they work, and if you're not using a fully-automatic process to handle certificates, you will absolutely
want need to get these reminders!
The Renewal Process
As to the process for renewal itself, it's pretty straightforward and essentially follows the same steps as original generation. The sslforfree service allowed me to select one of the existing certs for renewal, which pre-populated the form options with the same values. Since I'm doing the manual/file renewal process, the process is basically 'download file, place in proper location on host, tell service to generate certificate, grab certificate details and paste into CPanel.' It took about the same amount of time (a minute or two) for each domain/cert, maybe a bit less due to the pre-populating part.
Because of this, it's not a "renewal" like I'm used to with a regular service like InCommon. It's essentially a slightly streamlined process to generate an entirely new certificate. How it works doesn't really matter, though, because at the end of the day the result is the same: SSL certificate generated.
Based on the ease of the "renewal" process, I went ahead and renewed four other vanity domains which were set to expire in about two weeks. Total time was less than ten minutes, start to finish.
I intend to go ahead and generate a set of certificates for all of my various domains (vanity and regular) with sslforfree/Let's Encrypt in the next few weeks. With the process being as simple as it is, there's really no reason not to do it.
I deleted one of the original certificates from sslforfree after I'd verified the host was responding with the new one, but I left the other original. I'm a bit curious to see if I'll get more renewal notices or expiration notice for the one that's been replaced but not had its original removed. I'm doing this to better understand the service, not because I have to. Once I know how that behaves I'll probably remove all of the old certs and keep it simple. Not like they'll work anyway once expired...
I Did It; You Should Too!
I cannot recommend the services enough--super simple, FREE, and reasonably easy to use. More so if your host configuration allows you to install or run the fully-automatic processes to handle renewals!
Headline image via Oxatis