My Experience With an SSL Expiration from Hell
If you weren’t sure how important a current SSL certificate is to your site’s traffic, let me just tell you about it.
I was on vacation for 3 weeks during which time my daughter was married. So, naturally, I had no time to check the stats of this site, or to even look at the home page.
When I returned home and checked my Google Analytics, I was flabbergasted to find that my traffic had dropped dramatically since July 6th. Like, tanked!
When I clicked on my own site, a “Your connection is not private” page popped up instead of my home page.
But this shouldn’t be, I told myself. This site is certified by Let’s Encrypt, a free service to encrypt everything on the Internet. I employed their services last year, when I moved the site to a new server at Cloudways, and set it up because it was free and easy. The certificate expired every three months and it automatically renewed, as it was set to do.
Only this time it didn’t renew!
At Cloudways, I chatted with Sakeeb who informed me of the glitch with the Renewal function and then said the fault was with Let’s Encrypt, not Cloudways. And since chatting with me, several more users were reporting the same problem!
I soon found my site was not only scaring away readers, the SSL expiration made it a pain to log into and virtually unworkable inside.
About Let’s Encrypt
Let’s Encrypt is the great democratizer of Certificate Authorities. Provided by Internet Security Research Group (ISRG) they offer free certificates and easy installation, often through web hosts. Here are their key principles:
• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
That’s all well and good until something prevents a site’s ability to renew the certificate automatically and there goes your traffic!
Let’s Encrypt’s dark side
The SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.
The rush to encrypt and certify websites as safe for users came after Google announced they would afford ranking preference to sites that have encryption. So naturally, everyone and their brother has been scooping up free SSL certificates, including owners of nefarious sites.
It’s easy to confuse encryption with Extended Domain Validation as signified by the “green bar” https and the padlock in the address bar.
And since Let’s Encrypt is open and democratic, it extends the free service to phishing sites, revealed by the SSL provider’s transparency logs.
This post on SSLstore.com says, “Between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word “PayPal.”
So, what does it tell you about the trustability of Let’s Encrypt certificates when even phishing sites can be certified as encrypted?
Beyond Let’s Encrypt
As I type this I’m in the process of installing a new, paid SSL.com certificate on my site’s server. The process is a lot more complicated than the Let’s Encrypt installation but, again, what does that say about free and easy?
I guess we all want free and easy in the beginning and are willing to enjoy it as long as it works. But as soon as it doens’t work, that is a good sign that it’s time to move on.
Hopefully, by the time you read this post, there will be no “Your connection is not private” pages popping up first.
How about you? Have you had problems with certificate expiration or with Let’s Encrypt or other Certificate Authorities? Please let me know what happened.
Subscribe to Blogsite Studio and get my new ebook!
Secure Your WordPress Website:
How to Protect Yourself from Hackers, Spammers, Scrappers, and Imbeciles
A field guide to stopping evildoers from breaking into your website, stealing data, and injecting malware.
Plus, what to do after a hack!