Another satisfied Let's Encrypt user

KOM

I've been running SSL on my dinky website for about 2 years with a cert I got for free from StartCom.  As a lot of you know, StartCom was engaging in shenanigans with "test" certs they were caught issuing for major web domains.  The Big Browsers all stopped trusting StartCom, which made my site generate cert errors in Chrome or FF.

Not good!

While I was aware of Let's Encrypt, I already had a working config and I didn't want to have to disrupt it and learn something new right now just to get what I already had.  After checking out the prices for a simple cert from other vendors, I was back to Let's Encrypt.

After backing up my config, I installed the certbot package, ran it, answered two questions and BAM – done.  I could not believe how slick and easy it was.  All I had to do to finish up was add a cron job to renew twice per day as recommended.

Very nice and highly recommended.

GruensFroeschli

I'm using LE for my private stuff as well.
What do you mean with

All I had to do to finish up was add a cron job to renew twice per day as recommended.

You should not renew more often than every ~60 days.
There is also a limit of 5 renewal requests per domain/subdomain per 7 days.
If you exceed that all subsequent requests will be denied.

KOM

https://certbot.eff.org/all-instructions/

Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

KOM

Let's Encrypt just announced that they will start issuing wildcard certs in January 2018.

Jailer

@KOM:

Let's Encrypt just announced that they will start issuing wildcard certs in January 2018.

Wow, that's surprising.

I'm also a happy Let's Encrypt user. It couldn't be easier to get an encrypted site up and running.

GruensFroeschli

@KOM:

https://certbot.eff.org/all-instructions/

Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

Ah that's with certbot.
I'm running the request for the domain directly.

Really looking forward to wildcard certificates :)
Will make it a lot easier to manage since i run quite a lot of subdomains on my webserver :)

jimp

@GruensFroeschli:

Really looking forward to wildcard certificates :)
Will make it a lot easier to manage since i run quite a lot of subdomains on my webserver :)

That's about the only scenario that makes sense, lots of subdomains on a single server. Otherwise you'd also have to distribute the wildcard cert to other boxes locally every time it was renewed. Possible, sure, but a bit of a pain and not very advantageous over just letting other servers request their own certs.

I'm still waiting for them to validate bare IP addresses and also allow extra EKU flags like "IP Security IKE Intermediate". I figured they'd at least allow the EKUs before doing wildcard certs.