How to Renew SSL Certificates?


#1

All of my Let’s Encrypt certificates have expired and I am lost, clicking around trying to figure out how to renew them. All my sites are now lost behind warnings. Help.


#2

Our guide for installing an SSL cert at Installing Free SSL Certificates would apply here, same process for “renewing”, you just go to the Let’s Encrypt panel and “Issue” a new certificate (note that “Reinstalling” is not what you want, that installs the already expired certificate. You want to issue a new one). Frustrating thing of Let’s Encrypt certs is they’re only good for 90 days and if you issue a whole bunch at once they all go at the same time as well. Our plugin tries to renew automatically but rate limits have often prevented that from working reliably (Let’s Encrypt rate limits the amount of domains, subdomains, as well as certs per IP).


#3

With increased pressure by Google and Chrome (same natch) for SSL, some more clarity/emphasis here would help.

First of all, having access to free certificates is hugely appreciated. But if there is some limit to renewal is in the works, it means our certs can go unrenewed and the only way to know this to know to review via cpanel or check site manually. These seems problematic. If anything, some more info to users that they should know, check their expiry date might be warranted. At least for now, I plant to set my own calendar reminders.

There are references to auto renew in the SSL panel- is this what we have or a service offered for $?


#4

Here is the guide that Let’s Encrypt outlines for their rate limits Rate Limits - Let’s Encrypt - Free SSL/TLS Certificates. Where do you see references to auto-renewal? The plugin we use (https://letsencrypt-for-cpanel.com/) in cPanel does advertise automatic renewal and in my experience it does work often that way but there are instances (like the rate limit issue) where users with multiple domains might find the auto-renewal didn’t work. If you find it’s something worth paying for, I would encourage you to buy multi-year certificates rather than relying on free Let’s Encrypt ones which are only good for 90 days. Let me know if I can provide some clarity in any other way.


#5

(Apologies if that sounded snippy). Again the offering of these certificates by Reclaom means I am much more likely to encrypt my sites than before you made them available.

I’m less worried about my own case and more about average users, and thinking it’s not a technical need but just some awareness. If Pat Teacher sets up SSL and starting getting messages for their students colleagues unable to go directly to a course site will they understand the problem?

The panel I was looking at was a place I might go to see what is going on the SSL/TLS status one. I see a long list there (it looks like every domain I have, which makes sense as Reclaim sets up by default certs for all my stuff), not just the 5 I have gone through the Let’s Encrypt one to install certs on. And it looks like I enabled SSL on all my stuff.

This statement might make it appear I have done something wrong, I might not even know what AutoSSL is

I’d be better off going to the Let’s Encrypt panel, which it did show at the top that my certs had expired. But as a normal user, my impulse is to click “Reinstall” where my domain is listed, not doing from below which is the one that works.

I also noted there is, under the Let’s Encrypt settings, an option box to disable email notifications, which should take care, but maybe it’s not working (or I missed the emails)

So nothing is wrong with the set up, but that if we are encouraging people to do SSL, they might miss some of these steps. For myself, I will set up calendar reminders to check before expiry dates.

Thanks!


#6

Ah I can see the confusion here. AutoSSL is a feature of cPanel (seems like everyone is trying to jump on the bandwagon of SSL for everyone, which is a good thing except when there are conflicting messages. I think what likely happened here is that the Let’s Encrypt certificate is overriding the cPanel issued one. I’ll take a look at our server setup to see what makes the most sense going forward. cPanel has limits of its own and they’re a bit more strict (X number of domains per server which is a pretty low number like 100) so we haven’t promoted their option but I didn’t know they had something in the cPanel interface now exposed to end users.

The email thing we did have globally disabled. Maybe something for us to reconsider but you’d be surprised (or maybe not) how many tickets we had from people demanding a refund because we automatically renewed their account when it turned out they received an email that an SSL certificate was renewed. Sigh. I do agree “Reinstall” is perhaps poor wording versus issuing a new one. If anything I wish that plugin would just remove the cert when it expires rather than keep it there, what good is an expired certificate anyway? I’ll also re-evaluate why the auto-renewal wasn’t working for you, while I can’t fully rely on it we should be able to be confident that in most cases it’s working (but the number of certs you had may have been an issue which would be an edge case for our standard user).


#7

I have a post in the works about how we are handling certificates going forward after closely evaluating things the past few weeks, but wanted to respond on this thread with some updated information.

We have identified an issue related to cPanel’s AutoSSL feature that I believe has affected multiple users and is likely the basis of the confusion in this thread as well. When we first started offering Let’s Encrypt integration via a plugin that was the only way to get a free certificate. The plugin afforded us ways to attempt to push out automatic provisioning of certificates for all users and it’s a direction we’ve continued to push on in an attempt to make SSL Everywhere a reality.

When cPanel introduced their AutoSSL feature the default option was for it to be enabled and on many servers this later had to be disabled. For a period of time we had folks using both the LE plugin but also cPanel was issuing certificates as well. Wouldn’t presume that to be a problem, at the end of the day everyone is getting certificates. However cPanel’s AutoSSL feature was sending confusing notifications and in an attempt to clarify things we disabled AutoSSL across the board on all servers and wanted to remain with just the LE plugin. But here’s where it gets tricky. cPanel’s AutoSSL feature has the ability to replace an expiring certificate regardless of who issued it and we had that enabled. The LE plugin cannot replace a certificate that it did not issue. This is why people who previously had SSL certificates were waking up to expired certificates where we thought we had settings in place that would automatically renew things.

I’ve spoken with the developers of the plugin and they are looking to add support for replacing certificates reliably and they may have that available in the next 2-3 months (along with wildcard support!). However I didn’t want to wait 2-3 months to move towards a more secure setup so we have reenabled cPanel’s AutoSSL feature and this week we had all servers attempt to create/renew certificates for every domain hosted by us. This should hopefully mean that regardless of whether anyone was checking for themselves, every domain they host with us should now have a certificate from either Let’s Encrypt or cPanel by default. If the LE plugin adds support for replacing certificates we may move back to using just that and disable cPanel’s AutoSSL feature again. If they don’t we may ditch the plugin and just rely on cPanel’s SSL features going forward. But I’m hopeful that at least we’re making strides to get every domain secure with a certificate now and prevent the unwelcome surprise of an expired certificate.