0

I had a SSL certificate expire over the weekend, the client had missed the renewal email, and obviously they were not happy their site was displaying SSL warnings.

As I've been using Lets Encrypt on a number of sites now, I wondered if I could use Certbot to check a purchased certificates expiry and replace it with a Lets Encrypt Cetificate in between SSL renewals. Does someone know if something like that would work. I'm concerned that the renewal of the purchased certificate could be messed up by it, and I'm not sure if there would be any additional setup for Certbot to work this way.

Does anyone have some advice of how best to handle SSL renewals. Really just need some guidance here.

OrderAndChaos
  • 103
  • 3
  • 3
    The best mitigation is probably to add monitoring for the expiration date of ssl certificates to your existing monitoring solution. – HBruijn Oct 23 '17 at 10:18
  • Is that not what Certbot kind of does, I know it checks the expiration of the generated Lets Encrypt SSL Certificates, I'm just not sure if it'd work with purchased ones. It seems renewing an SSL will always lead to some downtime during the transition, I'd hoped that I could switch to Let's Encrypt in the interim period. – OrderAndChaos Oct 23 '17 at 11:29
  • 1
    "It seems renewing an SSL will always lead to some downtime during the transition [...]": Not really. Besides, @HBruijn told you the correct way to implement this. – gxx Oct 23 '17 at 12:11
  • 1
    Don't wait for them to expire. Just switch to the let's encrypt ones. – Federico Galli Oct 23 '17 at 13:44
  • @HBruijn DigiCert has a free ssl monitor. If you would have LE replace the cert, why not just use LE Exclusively? – Jacob Evans Oct 23 '17 at 13:53
  • Why bother with the purchased cert at all? Get Let's Encrypt up and running, automate it, and never touch it again. – ceejayoz Oct 23 '17 at 13:54
  • The purchased ones have insurance (not sure we'll ever need that), and add the site name to the browser bar for customer reassurance. Some clients want the EV SSL certificates too. – OrderAndChaos Oct 23 '17 at 16:34
  • @Sarcoma The fact that Facebook, Amazon, and Google skip the EV stuff is probably a good indication of how little consumers care about the site name being in the browser bar. If you're running a bank site, have at it. The insurance is a scam - the terms are so specific and address such an unlikely situation that no SSL vendor has **ever** paid out. – ceejayoz Oct 24 '17 at 14:48
  • @ceejayoz Those are some good points. So would you skip paid certificates altogether, and just use Lets Encrypt? I have to say I have found it the most painless solution. – OrderAndChaos Oct 24 '17 at 18:50
  • @Sarcoma Yes, I'm very happy recommending Let's Encrypt in 99.999% of cases - the only exceptions would be clients who absolutely require an EV cert. I also use the (free) Amazon ACM when it's an Amazon-hosted site. – ceejayoz Oct 24 '17 at 18:59

2 Answers2

0

Yes, replacing a yearly cert with Letsencrypt will prevent further issues where manual intervention is required.

1) Install Certbot 2) issue your first certificate, include any pre-post hooks to ensure the new certificate is loaded on renewal (nginx restart, etc). Set your renewal/account email to either a ticket system or distribution list (if you leave, someone else checks on failed renewals). I recommend using webroot, there's a ton of documentation on how to do this. 3) setup cron to run certbot renew every so often, (during a time you can restart the service without negative impact on users, but within a time you can quickly fix any issues that come up).

No, Certbot is not a monitoring tool for 3rd party services, checkout 3rd party services for this. Also remember, certbot is an ACME client, which is what Letsencrypt uses.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
-1

The script could have errors, I didn't test it! Please, do not run it at production. But I belive it should be something like this:

#!/bin/bash
my_domain=example.com
my_ip=88.208.57.20 # could be example.com
my_port=443
seconds=86400 # 24h
cert_bot_cert="/etc/letsencrypt/live/$my_domain/fullchain.pem"
cert_bot_key="/etc/letsencrypt/live/$my_domain/privkey.pem"
native_cert="/etc/nginx/ssl/$mydomain/cert.crt"
native_key="/etc/nginx/ssl/$mydomain/key.key"  

function certrw {    
    cat $cer_bot_cert > $native_cert && cat $cert_bot_key > $native_key && nginx -t && service nginx reload
}

expire_date=$(date -d "$(echo | openssl s_client -servername $my_domain -connect $my_ip:$my_port 2>/dev/null | openssl x509 -noout -dates|grep notAfter|cut -d '=' -f2)" +%s)
today=$(date +%s)
diff=$(echo $expire_date-$today|bc)
if [ $diff -lt $seconds ];then
     certbot certonly --webroot -w /var/www/letsencrypt/ -d $my_domain && certrw
fi
Alexander Makarenko
  • 615
  • 4
  • 10