Independant advice


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: N/A yet

I ran this command: N/A

It produced this output: N/A

My web server is (include version): unknown

The operating system my web server runs on is (include version): unknown

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Umbraco Opensource CMS


I’m not sure if the information above would really help at this stage, because I am just after some independent advice.
I’ve recently had a company build me a new website and of course with Google’s announcement of marking unsecured websites the conversation turned to SSL Certificates.
I’ve always considered SSL certificates as a bit of a wrought and that’s why I’m here. I let my web designer know that I’m interested in Let’s Encrypt and while they consider it doable, they believe an hour’s worth of their time is required to achieve it.

Here is a transcript of their message to me:


There is no lets encrypt feature in the CMS. It’s actually harder for us to manage a lets encrypt setup than a certificate install. Because you can’t manually do lets encrypt there is an API to manage and keep running.

I’m happy to look at a lets encrypt setup for you which would mean you don’t have ongoing yearly costs. However it’s 1 hour to get it going. But you’re then connected and running for free.

Let me know if you’d like to go ahead with that. Alternatively we do it the traditional way of buying a cert, and a static IP and renew it yearly.


My questions therefore are:

  1. What duration does a Let’s Encrypt certificate last for?
  2. Is it likely I will require my providers assistance to renew if necessary?
  3. Do I need a static IP with Let’s Encrypt?
  4. Anything else that looks out of place?

Richard


#2

1 hour setup is a perfectly reasonable quote.

90 days. This short duration is mitigated by the client software automatically renewing the certificate, so the intent is that it would not require any human intervention after being setup.

Not likely. However, if the process begins to malfunction at some point in the future, then it would need to be addressed by somebody who is able to work with the client software.

Nope.


#3

Hi _az and thank you for your very prompt reply :slight_smile:

The provider mentions an API they have to manage (from transcript), is this the same as the client software you mention above? I suspect this client software has to be running within access of the provider since I have no ability to setup or administrate according to them?

Richard


#4

The “API” most likely refers to the client software (which uses the API). The most popular one is https://certbot.eff.org/ , but since Umbraco is usually deployed on Windows (I think), an alternative is probably used. Whatever they use, it has to run within the environment where your website is hosted.

If you don’t have administrative access over your hosting environment, then you are depending on somebody else to manage it for you, including for SSL, right?


#5

If I understand you correctly, then yes. I have rudimentary access to editing site content via a web portal, but not to higher level admin like installing certificates it appears. I am at the mercy of the site developer and hence why I am gaining an understanding of the part they play.


#6

In the ideal situation, managing Let’s Encrypt certificates is 100% automated after the initial install, with no ongoing maintenance whatsoever. The goal is to have automated renewals running twice daily, but only executing a renewal attempt if the certificate is less than 30 days from expiration. This gives the client a large buffer of attempts to renew, and the site administrator a month to fix issues if renewal were to break somehow.

There are dozens of large providers who manage this automatically for their clients already, and I would posit that it should not be an ongoing cost to you for maintenance of this process, as it should be automated once configured. This client should be running on the web server itself, as that’s the simplest way for it to be able to also prove control of the domain.


#7

Thanks for all the information which helped me conclude with the developer that an LE certificate is what I want.

Thread closed.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.