I have a paid certificate that’s about to expire soon.
I would like to use lets encrypt cert in replacement of this one.
What is the appropriate procedure to do this?
Info: Digicert - Still don’t have any lets encrypt stuff installed
My domain is: accordsalud.com.ar
I ran this command: nothing yet since I’m new to this
It produced this output: -
My web server is (include version): Apache 2.2
The operating system my web server runs on is (include version): CentOS 6.3
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): nothing installed yet since I’m requesting for some kind of step by step or procedure
You can have as many valid (and invalid, my webserver has two LE certs and one self-signed cert, works fine) certs as you want simultaneously. Browser will pick one.
Install certbot, let it do its magic.
Be careful that it does not remove the current certificate. When old one expires, you’ll have one cert instead of two.
You are currently usingpaying for an Extended Validation certificate – you won’t get one of those from LE.
You are currently using a cert from cloudflare, not the one from DigiCert that expires on march 8. This means that the only use for your ssl cert is to communicate with cloudflare’s reverse proxy, and you can do that with one of cloudflare’s own certs.
You are currently usingpaying for an Extended Validation certificate – you won’t get one of those from LE. Thank you!, That’s fine.
You are currently using a cert from cloudflare, not the one from DigiCert that expires on march 8. Yes, I saw it in https://lookup.icann.org/. So, why cert says DigiCert?
This means that the only use for your ssl cert is to communicate with cloudflare’s reverse proxy, and you can do that with one of cloudflare’s own certs. Ok, got it, but in anycase I can still replace this with LE, right? or is there something I have to do?
Understood! Last question then would be: does this statement -> “The cert on your server is from digicert, but nobody actually connects to your server other than cloudflare, so nobody will see that cert.” means that digicert certificate allocated on the server itself, was purchased/payed, but not used? In other words, does it mean it was a waste of money?
It was used, but only to secure the data transfer between you & cloudflare. Cloudflare has several settings regarding SSL that can be set for your domain. You don’t HAVE to use cloudflare to secure the data. However, it’s a good security measure to have in place. I will say that you paid extra for EV that was never used. The only reason you would want EV is for your company name to show up on the green lock in the address bar. Since you were behind cloudflare, the EV features were never used, so that part of it was wasted.
Note: Most browsers (except the old edge) no longer show this, EV certificates are no different from DV certificates unless you go into the certificate information menu, something almost nobody ever does and are almost always a waste of money.
One thing you can do, since all your sites traffic runs through cloudflare you can use their origin certificate authority and get a free cert that is only valid for cloudflare, these can be issued for much longer periods of time as well.
Not entirely.. Your DigiCert certificate was renewed (and probably payed for) for the last time on 2019-01-08 and is valid for 14 months. Your CloudFlare certificate was issued on 2019-07-17, which is about 6 months after you got your DigiCert certificate. Therefore, you've "wasted" about 57 % of the money you've payed for your DigiCert certificate.
Then again, you didn't got CloudFlare when you bought the DigiCert certificate and I don't know if DigiCert even sells certificates with a life time less than one year. So you didn't really "have a choice" back then. (Of course, Let's Encrypt already existed then, but hey, that's a different story.)
I personally use cloudflare with the Full(Strict) option and LE to secure the traffic between my server & cloudflare. With automated renewals, the maintenance is minimal.