What is the proper procedure to replace an existing paid certificate with lets encrypt

I have a paid certificate that’s about to expire soon.

I would like to use lets encrypt cert in replacement of this one.

What is the appropriate procedure to do this?

Info: Digicert - Still don’t have any lets encrypt stuff installed

My domain is: accordsalud.com.ar

I ran this command: nothing yet since I’m new to this

It produced this output: -

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): CentOS 6.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): nothing installed yet since I’m requesting for some kind of step by step or procedure

1 Like

Hi @no_spaces

there is no procedure. Start with some basics.

If you have root access, select a client.

Then create a certificate and install it. That replaces your current certificate.

If you don’t have root access, your options are limited. Then it may be impossible to use a Letsencrypt certificate.

1 Like

You can have as many valid (and invalid, my webserver has two LE certs and one self-signed cert, works fine) certs as you want simultaneously. Browser will pick one.

Install certbot, let it do its magic.

Be careful that it does not remove the current certificate. When old one expires, you’ll have one cert instead of two.

1 Like

However, please note:

  • You are currently using paying for an Extended Validation certificate – you won’t get one of those from LE.
  • You are currently using a cert from cloudflare, not the one from DigiCert that expires on march 8. This means that the only use for your ssl cert is to communicate with cloudflare’s reverse proxy, and you can do that with one of cloudflare’s own certs.
3 Likes
  • You are currently using paying for an Extended Validation certificate – you won’t get one of those from LE.
    Thank you!, That’s fine.

  • You are currently using a cert from cloudflare, not the one from DigiCert that expires on march 8.
    Yes, I saw it in https://lookup.icann.org/. So, why cert says DigiCert?

This means that the only use for your ssl cert is to communicate with cloudflare’s reverse proxy, and you can do that with one of cloudflare’s own certs.
Ok, got it, but in anycase I can still replace this with LE, right? or is there something I have to do?

You can replace that with LE, it’s probably even easier.

The cert on your server is from digicert, but nobody actually connects to your server other than cloudflare, so nobody will see that cert.

Everybody else just connects to cloudflare using a cert they made for you.

1 Like

Understood! Last question then would be: does this statement -> “The cert on your server is from digicert, but nobody actually connects to your server other than cloudflare, so nobody will see that cert.” means that digicert certificate allocated on the server itself, was purchased/payed, but not used? In other words, does it mean it was a waste of money?

1 Like

It was used, but only to secure the data transfer between you & cloudflare. Cloudflare has several settings regarding SSL that can be set for your domain. You don’t HAVE to use cloudflare to secure the data. However, it’s a good security measure to have in place. I will say that you paid extra for EV that was never used. The only reason you would want EV is for your company name to show up on the green lock in the address bar. Since you were behind cloudflare, the EV features were never used, so that part of it was wasted.

3 Likes

Note: Most browsers (except the old edge) no longer show this, EV certificates are no different from DV certificates unless you go into the certificate information menu, something almost nobody ever does and are almost always a waste of money.

One thing you can do, since all your sites traffic runs through cloudflare you can use their origin certificate authority and get a free cert that is only valid for cloudflare, these can be issued for much longer periods of time as well.

4 Likes

Not entirely… Your DigiCert certificate was renewed (and probably payed for) for the last time on 2019-01-08 and is valid for 14 months. Your CloudFlare certificate was issued on 2019-07-17, which is about 6 months after you got your DigiCert certificate. Therefore, you’ve “wasted” about 57 % of the money you’ve payed for your DigiCert certificate.

Then again, you didn’t got CloudFlare when you bought the DigiCert certificate and I don’t know if DigiCert even sells certificates with a life time less than one year. So you didn’t really “have a choice” back then. (Of course, Let’s Encrypt already existed then, but hey, that’s a different story.)

2 Likes

…which isn’t happening with most current browsers any more anyway. EV is well and truly dead.

3 Likes

I heard middle of last year it was coming, didn’t realize it was already implemented.

1 Like

I personally use cloudflare with the Full(Strict) option and LE to secure the traffic between my server & cloudflare. With automated renewals, the maintenance is minimal.

2 Likes

Gentlemen, today, I’ve learned new things thanks to your postings, so, thank you very much! Now, it’s my turn.

Best regards to all of you!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.