Problem with Let's Encrypt Certificate

Sun Feb 19 13:39:43 UTC 2017

> That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.

I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time. All newly generated certs are generated with the timestamp in the filenames and the soft links updated to point to the latest timestamped files. I have 4 domains each with an average of 70 alt names, so Let’s Encrypt is saving me money. I simply run the dehydrated script every week in a cron job to regenerate the certs (if there is less than 30 days until the current cert is set to expire) and rotate in any new certs.

Of course, I run my sites using Docker and it is very easy to automate renewing certs. Note that I had the dehydrated script fail occasionally (mostly with 500 Server Busy errors for the Let’s Encrypt ACME server that sometimes cause me to have to wait a week before the script will succeed).

Automating cert renewal and cert rotation into production using Let’s Encrypt and Docker is a huge win for me, and has taken the pain out of manually doing this once a year for each domain (and paying high fees for the privilege). And using the DNS-01 challenge type means that I can easily generate certs for my mail domain (that doesn’t have a web server). In fact, using Cloudflare DNS is free so even DNS for my mail domain doesn’t cost anything.

Kevin

> On Feb 19, 2017, at 2:00 AM, Michael A. Peters <mpeters at domblogger.net> wrote:
> 
> On 02/18/2017 10:24 PM, Robert L Mathews wrote:
>> On 2/17/17 1:38 PM, chaouche yacine wrote:
>> 
>>> Seems wrong to me too, Robert. If you put your private key inside
>>> your certificate, won't it be sent to the client along with it ?
>> 
>> No; any SSL software that uses the file will extract the parts it needs
>> from it and convert them to its internal format for future use. It never
>> literally sends the file contents anywhere.
>> 
>> It's common and often recommended for a PEM file to contain everything
>> needed; see, for example, the bottom section of:
>> 
>> https://www.digicert.com/ssl-support/pem-ssl-creation.htm
>> 
>> Doing this avoids the key and certificate files getting out of sync later.
>> 
> 
> I don't use Let's Encrypt but to avoid them getting out of sync, I simply put a time stamp in the filename, e.g.
> 
> /etc/pki/tls/private/deviant.email-20160427.key
> /etc/pki/tls/certs/deviant.email-20160427.crt
> 
> I never re-use a private key, when a cert expires I always generate a new private key with a new CSR.
> 
> That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key.
> 
> Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert.
> 
> I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle.
> 
> I'm sure it probably could also be scripted to use a new private key every fourth time, too.
> 
> But for me its just easier to have certs that last a year and I can easily visually see what is going to need my action.