We are using LetsEncrypt as our CA to get wildcard certificates and we have created our own service using Certes(ACME Client) for issuance of certificate. Here we have few questions:
1). Does LetsEncrypt follow any SLA for issuance of certificate? If so, what are they?
2). What is the minimum and maximum time that we can expect LetsEncrypt to take for new/renewal of certificate?
3). Will there be a time difference in LetsEncrypt Production compared to Staging environment(we have tested with Staging and planning to move to production)?
It will be helpful for us if we can get answer for these questions before moving to Production. Thanks in advance.
For certificate issuance, we have internal Service Level Objectives (SLOs), but no agreements or guarantees.
When our service is operating normally, you can expect issuance in 2-10 seconds, plus any time required on your side to get ready to answer the ACME challenge. Staging and production often have very different performance if you're comparing milliseconds, but should share that 2-10 second estimate.
We always recommend you design your service so that it can gracefully handle failures or delays on our end.
To add to this: Let's Encrypt recommends to renew at 30 days before expiry, so even if there would be an outage, with a proper setup this would cause no issues ultimately, as the automated certificate renew process would have 30 days time to renew a certificate. Which should be plenty enough. (As outages are usually in the range of hours, not days, let alone an entire month.)
You must architect your certificate renewal process so that it can fail, possibly multiple times over several hours or even days. Renew earlier than your expiry and allow enough time for problems. It doesn't matter who your CA is (there are many options), they can all temporarily fail.
Even better, use CA failover - so if one CA is constantly failing, switch to another. The ACME client I develop now has this built in (in v6.0-beta, it's a little bit more fancy in that it bases its decision on whether a CAs features match your certificates requirements) and it's not too hard to build into your own process either.
[also, if Let's Encrypt is good enough for the NSA it's probably good enough for everyone]
