Skip to main content

Change from Sectigo to Let's Encrypt

Comments

7 comments

  • cPRex Jurassic Moderator

    Hey there!  The issue isn't so much with the number of domains, but with the number of domains per vhost/certificate.  Details on that can be found here:

    https://letsencrypt.org/docs/rate-limits/

    As long as you are under those limits, you'll be just fine.

    All certificates get reissued when migrated to new hardware, yes.  It just treats that as an entirely new certificate request since it would likely be coming from a new IP address.

    0
  • rbairwell

    Hi cPRex :

    The issue isn't so much with the number of domains, but with the number of domains per vhost/certificate. 

    Are you sure about that?

    Yes, Let's Encrypt has a limit of 50 certificates per registered domain and 100 names per certificate - but they also have:

    a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently.

    - which I suspect will be reached if all 700 domains per server tried renewing within the same 3 hour window.

    However, if the majority of the sites on each server have slightly different renewal times and the server is switched from Sectigo to Let's Encrypt, then this is unlikely to pose a problem as the existing certificates will only be replaced upon renewal which will be staggered (and if the server does hit a rate limit the certificates will still be valid for a few more days allowing reattempts for the remaining domains).

    All certificates get reissued when migrated to new hardware, yes. 

    Again, are you sure? I'm pretty sure if you use the Transfer Account tool (or similar) it copies over the public and private keys from the old server and so the certificates will not automatically need reissuing (just when the certificates come up for standard expiration)

    1
  • cPRex Jurassic Moderator

    I'm never *sure* about anything anymore!

    If you transfer the account it will move the active certificate if it exists, yes, but will reissue anything if it needs to.  So either way on that one it should just work.  In general with AutoSSL, we really tried to get the "Auto" part to work so users don't have to worry about these things.

    For the domain limit, it's possible that it's reached, but Let's Encrypt wouldn't overwrite the existing Sectigo certs immediately when the switch happens as that is delayed until they come up for renewal, so it shouldn't be an issue.

    0
  • imorandin

    Thanks cPRex

    What about the ssl for services? (FTP, exim, WHM, cpanel). Will they be re-issued using Sectigo despite the fact that I switched to Let's Encrypt?

    I ask this because according with the documentation it says: "This plugin does not generate hostname certificates for your system’s services. It only generates SSL certificates for your cPanel accounts."

    Ignacio

    0
  • cPRex Jurassic Moderator

    That's correct - at this time, the hostname certificate is still issued through Sectigo as that uses a different issuing process than the SSLs for the domains.  This will likely get changed at some point in the future.

    0
  • imorandin

    Thanks Mr Rex!

    0
  • cPRex Jurassic Moderator

    You're very welcome!

    0

Please sign in to leave a comment.