Change from Sectigo to Let's Encrypt
Hi,
There are issues with Sectigo right now and we would want to switch to Let's Encrypt.
Some of our servers have 700 domains each. Will the switch be seamlessly in regards of rate limits?
Also we would like to know what would happen if we migrate an entire server to a new one (for example if it has a hardware issue). Will all certificates be re-issued?
Thanks,
Ignacio
-
Hey there! The issue isn't so much with the number of domains, but with the number of domains per vhost/certificate. Details on that can be found here:
https://letsencrypt.org/docs/rate-limits/
As long as you are under those limits, you'll be just fine.
All certificates get reissued when migrated to new hardware, yes. It just treats that as an entirely new certificate request since it would likely be coming from a new IP address.
0 -
Hi cPRex :
The issue isn't so much with the number of domains, but with the number of domains per vhost/certificate.
Are you sure about that?
Yes, Let's Encrypt has a limit of 50 certificates per registered domain and 100 names per certificate - but they also have:
a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently.
- which I suspect will be reached if all 700 domains per server tried renewing within the same 3 hour window.
However, if the majority of the sites on each server have slightly different renewal times and the server is switched from Sectigo to Let's Encrypt, then this is unlikely to pose a problem as the existing certificates will only be replaced upon renewal which will be staggered (and if the server does hit a rate limit the certificates will still be valid for a few more days allowing reattempts for the remaining domains).
All certificates get reissued when migrated to new hardware, yes.
Again, are you sure? I'm pretty sure if you use the Transfer Account tool (or similar) it copies over the public and private keys from the old server and so the certificates will not automatically need reissuing (just when the certificates come up for standard expiration)
1 -
I'm never *sure* about anything anymore!
If you transfer the account it will move the active certificate if it exists, yes, but will reissue anything if it needs to. So either way on that one it should just work. In general with AutoSSL, we really tried to get the "Auto" part to work so users don't have to worry about these things.
For the domain limit, it's possible that it's reached, but Let's Encrypt wouldn't overwrite the existing Sectigo certs immediately when the switch happens as that is delayed until they come up for renewal, so it shouldn't be an issue.
0 -
Thanks cPRex
What about the ssl for services? (FTP, exim, WHM, cpanel). Will they be re-issued using Sectigo despite the fact that I switched to Let's Encrypt?
I ask this because according with the documentation it says: "This plugin does not generate hostname certificates for your system’s services. It only generates SSL certificates for your cPanel accounts."
Ignacio
0 -
That's correct - at this time, the hostname certificate is still issued through Sectigo as that uses a different issuing process than the SSLs for the domains. This will likely get changed at some point in the future.
0 -
Thanks Mr Rex!
0 -
You're very welcome!
0
Please sign in to leave a comment.
Comments
7 comments