I’ve got an EV SSL certificate for my company.
from Comodo that is valid for a year. It cost me $80, and actually only took a couple of days to get.
On the same server I have a couple of Let’s Encrypt certificates for my radio club
plus another site.
I set up a con job on a Linux server to renew the Let’s Encrypt certificates with certbot, but having given it more thought, I am going to disable the cron job.
In order to update the certificate, the following has to happen.
- Get new certificate.
- Shut down Apache
- Install new certifcate
- Hope Apache restarts.
If there’s a problem with any of the certificates, Apache is likely to not start. So my company website would remain down.
There’s also the remote possibility someone is making a purchase on the website, as the server is shut down.
Given it is possible to revoke certificates, I really fail to see the need to have a 90 day expiration date. Perhaps let people have the option of a 90 day certificate, but a longer period should in my opinion be the default.
Given all the main CA (Comodo, Verisign etc) offer certificates of one or two years, I really can’t see why Let’s Encrypt should have this 90 day limit. I read
and it talks about automation. Am I the only one to think the website administrator should take down the webserver and check its working?
I’ve written an email to the members of my club, saying we will have to buy a certificate, as I can’t risk automatic renewals. With it possible to get 1-year certificates for less than $6, the money Let’s Encrypt will save is not enough to warrant the risks that automated updates cause.