Certificates slightly re-examined

Certificates slightly re-examined

For a long time now, I've used Let's Encrypt's free certificates because in the past, (like when Internic controlled all the domain names) they were too expensive to to justify using for a personal site.  Before Let's Encrypt I had tried another free certificate provider, but they went under after their certificates widely were invalidated by most browsers.

When I first started using Let's Encrypt, it was very early on - and while they had a good, scriptable, official Linux client, the 3rd party Windows Clients were barely (if at all) functional.  There was, however, a great web based client and that's what I used.  Not super convenient,  every 3 months I needed to log in, run renew and download and then copy the certs to right spot and restart services - but it supported multi-san certificates (multiple domain names on a single cert), something that I wanted to make my life easier and something the Windows Clients simply could not do at the time.

Earlier this year, that web site decided to "sell out" to another web based certificate provider.  This new provider did not support multi-san certificates (for free) and would only let you get 3 free certificates.  They would be happy to sell you a multi-san cert,  but I wasn't going to pay for cert for my personal site.  Nor did I have the time to work on it and figure out an alternate plan. I cursed a little, just quickly got a free cert for my main domain name (subject name in the cert world) and vowed to find another solution when I had time.

I currently have 8 sans (Subject Alternate Names), so this this broke tons of stuff.  I decided to look at the 3rd party Windows clients again, and found that they had gotten on par with the Linux client.  The one in particular that I'm using now is Crypt-LE , which works perfectly and was compatible with my setup that I made for the Web Provider. It's command line based so I was able to write a script to automatically renew the certificates.  I don't even have to touch it at all anymore.

Now I've gotten everything working with https:// again, and I guess the moral of the story is not to get complacent with any solution.  Things are always evolving - I wish I had re-looked into this a long time ago.