My Let’s Encrypt mistake

SSLping was born as a side project. 
It’s useful to people, which is cool, but today it was also helpful to me!

I use it to monitor my HTTPS websites. This morning, my own SSLping project sent me an email about how my website https://hire.chris-hartwig.com is about to expire (in 10 days): it’s using Letsencrypt, and it’s been 80 days since I installed the cert.

I first thought it was because the renewal cronjob didn’t work (I have no MTA configured on this server, so I didn’t receive any email about a failed cronjob).

What I’ve discovered is that the ACME challenge protocol isn’t using HTTPS but HTTP for renewals (I though renewal would use HTTPS). And my nginx server was configured to redirect HTTP traffic to HTTPS, which broke cert renewal.

Here’s the new nginx configuration to allow renewal to work.

I’ve added a `location` section to serve the `.well-known` directory through HTTP, while the rest gets redirected to be served over HTTPS.

Of course I did test https://hire.chris-hartwig.com when I set it up. But with SSL, time does count: your certs will expire. When things change with time, you need monitoring, not just single checks.

That’s the whole point of https://sslping.com and why I created it.

PS: I read no later than yesterday that Let’s encrypt has issued 5M certs already… I can’t be the only one who didn’t get it right on my first attempt. In fact, I know I’m not: SSLping has already detected Letsencrypt renewal problems among its users in the past months ;-)

Like what you read? Give Chris Hartwig a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.