Changing to LetsEncrypt from different CA

Suppose I have a running website with an certificate I bought from some major CA, with SSL stapling (actual full ssl_params of my nginx is here: Suppose I don’t want to use it anymore and I want to switch to LetsEncrypt. Would the change affect the users of the website? E.g. would they see warning messages about certificates in their browser?

The short answer is: almost certainly not, as long as you do things right. I’m going to give a bit more of a broad explanation for anyone else stumbling upon this thread later.

The first consideration is whether or not you’ve implemented HTTP Public Key Pinning (HPKP). This is an extremely uncommon setup, as it introduces a large degree of complexity with debatable benefit. Still, if you have implemented this, then you will need to take special considerations when migrating to Let’s Encrypt. This is not the same thing as OCSP stapling (SSL stapling), which I see you have set up in your config. OCSP stapling will not cause you any troubles here.

Also of note - if you have a non-DV certificate at the moment (e.g. OV or EV - the rather expensive ones that give a special green bar with your business name) then you will lose the green bar. I don’t suspect this is the case, but it’s a worthwhile consideration.

Now, assuming you’re not using either of those two not-particularly-common setups, you shouldn’t have any issues. Just be certain that your certificate covers all domains your visitors might use, such as domain.tld and www.domain.tld and you should be good to go.


Ordinarily users won’t be warned about a different but still trustworthy certificate like the ones from Let’s Encrypt. However, beyond the configuration you’ve shown you should check that your web site doesn’t use HPKP, a technology which tells visiting browsers to expect only certain keys to be used. If HPKP is in use you will need to take great care and moving to Let’s Encrypt could take much longer.

HPKP uses MIME headers, so it would be part of the Web application or configured separately, not usually with the nginx settings you described.


I got it, thanks a lot guys!

I don’t think I have HPKP set up (I’ve considered it at development stage and found it to be troublesome), and I do have a DV certificate as of now. So I guess I’m good to go :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.