In case you haven’t noticed, this is a FREE service made possible by sponsors. It’s not “unprofessional” because it’s not a “professional” service. You get what you pay for, and you have paid nothing.
The time frame is 3 months because that is required in order to reduce the scope for abuse of the FREE service.
If you want professional support, SLAs, long certificate time spans, use one of the many and varied commercial options.
Waiting till the cert has expired makes you unprofessional. LE sends an email 15 days prior to the cert expiring. There is no excuse for not renewing certs before expiration. Moreover, this should be an automated process. Not a manual one.
Great! Thank you for the information. Will keep checking for updates.http://letsencrypt.status.io/ says it´s pretty big,
“Service Disruption” on all but the website.
Got the same here (a week to go). It seems from a netstat -l while certbot is running that it’s not listening on port 443 (or indeed any port) so it’s hardly surprising there’s no response.
(edit) Jumping in before full diagnostics. I can see what’s happening now and will wait patiently
Thank you for sharing your thoughts. The renew script is in the cronjob already. Instead of just sending email alerts that do nothing to tell me there’s an issue, so I leave it alone as the crontab is in place, perhaps the email can carry the error – and the documentation can be a bit more helpful in how to remove a domain, etc, as discussed above.
Anyway, we have now learned our lesson. This ‘free’ service is OK for toy sites or personal blogs. Not for anything beyond.
So now, you know that instead of complaining about a free service that you use in a professional environment you should buy a SSL certificate from an authority that match you needs ?
Moreover I also use Letsencrypt for a part of my enterprise services and I don’t have any problem since the certificates are always renewed on time, not the day before it expires. Right now I just cannot issue new ones. And these websites i’m speaking of are not ‘toys’ I can assure you
Hi,
if you run Apache with cPanel/WHM, you can do a temporary fix, yo can disabled OCSP Stapling within the Apache configuration and restarted Apache to apply the changes. With OCSP Stapling disabled, the browser now checks the revocation status, rather than the server itself. This reduces the burden from the server, and eliminates the possibility of this issue occuring again (unless OCSP Stapling is re-enabled and this happens again).
The directive is as follows: SSLUseStapling off
This directive cannot be controlled from WHM, it needs to be manually configured using an access method such as SSH or sFTP.
The official recommendation is that you set your cron task to run every day checking expiration dates of your certificates, and request replacement for certificates that have ≤30 days of validity left (e.g. just running certbot renew). With proper setup youʼd have a 30 days long buffer to try to request a fresh certificate and still have a valid one in place.
As was pointed out by several others over the course of this thread the error is a result of an ongoing service disruption. Please follow status.letsencrypt.org for more information. We should have all of the remaining issues resolved shortly.
In the meantime I’m going to lock this thread since there isn’t a need for further discussion on this particular error. Please open a new thread if you need to resume discussion.
Thanks for your patience, we apologize for the disruption and I expect more detailed root cause information will be shared in the near future.