Let's Encrypt revolutionized SSL/TLS adoption by providing free, automated certificates. However, their 90-day validity period means renewal happens four times more frequently than traditional certificates.
This creates more opportunities for things to go wrong. While Let's Encrypt's ACME protocol enables fully automated renewal, automation can fail silently, leaving you with expired certificates and frustrated users.
Effective Let's Encrypt management combines proper automation configuration with monitoring that catches failures before expiration.
What is Let's Encrypt?
Let's Encrypt is a free, automated, and open Certificate Authority (CA) that issues Domain Validation (DV) SSL/TLS certificates. Founded by the Internet Security Research Group (ISRG), its mission is to make encrypted connections universal by removing cost and complexity barriers.
The ACME Protocol
Let's Encrypt certificates use the ACME (Automatic Certificate Management Environment) protocol for issuance and renewal. Tools like Certbot, acme.sh, and web server plugins automate the entire certificate lifecycle:
- Requesting certificates
- Validating domain ownership
- Installing certificates
- Renewing certificates
The 90-Day Validity Period
The 90-day validity period was chosen deliberately to:
- Encourage automation
- Limit damage from compromised certificates
- Reduce the window of vulnerability
Why Monitoring Let's Encrypt Matters
Auto-renewal can fail for many reasons:
- DNS changes that break validation
- Firewall rules blocking ACME challenges
- Disk space preventing certificate writes
- Expired credentials for DNS API providers
- Server configuration changes that break the renewal process
Silent Failures
These failures often happen silently. The renewal cron job runs, fails, logs an error somewhere, and nobody notices until the certificate expires.
Rate Limits
Let's Encrypt implements rate limits that can prevent certificate issuance:
| Limit Type | Threshold |
|---|---|
| Certificates per registered domain per week | 50 |
| Duplicate certificates per week | 5 |
| Failed validations per account per hour | 5 |
| New orders per account per hour | 300 |
Monitoring helps you detect rate limit issues before they cause outages.
How to Automate Let's Encrypt
Configure Automatic Renewal
Verify that automatic renewal is properly configured with your ACME client.
For Certbot with systemd:
# Check if the timer is active
systemctl status certbot.timer
# View the timer schedule
systemctl list-timers | grep certbot
For Certbot with cron:
# Check for cron job
cat /etc/cron.d/certbot
Renewals should attempt at least daily. Certificates renew when 30 days or less remain.
Test Renewal with Dry Runs
Always test the complete renewal process without actually issuing certificates:
# Test renewal for all certificates
certbot renew --dry-run
# Test renewal for a specific certificate
certbot certonly --dry-run -d example.com
Include dry-run testing in your deployment verification process.
Configure Post-Renewal Hooks
Web servers don't automatically pick up renewed certificates. Configure hooks to reload services:
# Certbot post-renewal hook
certbot renew --deploy-hook "systemctl reload nginx"
Or create a hook script:
# /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
#!/bin/bash
systemctl reload nginx
Implement External Monitoring
Use services like WizStatus that verify certificate validity independent of your renewal automation. External monitoring:
- Checks actual certificate expiration from outside your infrastructure
- Alerts if certificates approach expiration regardless of automation logs
- Catches issues your internal monitoring might miss
Let's Encrypt Best Practices
Stagger Renewal Timing
- Run renewal checks daily
- Stagger timing across your infrastructure
- Avoid hitting rate limits simultaneously
- Random scheduling spreads load and prevents correlated failures
Use DNS-01 Challenges for Complex Setups
DNS-01 challenges are ideal for:
- Wildcard certificates
- Multi-server deployments
- Servers behind firewalls
- Load-balanced environments
# Example: Certbot with Cloudflare DNS
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
-d example.com \
-d "*.example.com"
Monitor Both Expiration and Renewal
| Monitoring Type | What It Catches | When It Alerts |
|---|---|---|
| Expiration monitoring | All certificate issues | Before expiration |
| Renewal monitoring | Failed renewal attempts | Immediately after failure |
Expiration monitoring catches all issues. Renewal monitoring catches them faster by detecting failed attempts immediately.
Keep ACME Client Updated
Let's Encrypt evolves their API. Outdated clients may encounter compatibility issues.
# Update Certbot on Ubuntu/Debian
apt update && apt upgrade certbot
# Update Certbot via pip
pip install --upgrade certbot
# Check Certbot version
certbot --version
Implement Certificate Staging
For critical services, consider staging certificates:
- Renew to a staging location
- Verify the new certificate
- Deploy to production
This prevents deploying corrupt or invalid certificates.
Maintain Backup Options
For critical services, maintain backup certificates from an alternative CA. If Let's Encrypt has extended outages or you hit rate limits during emergencies, having a backup prevents extended outages.
Conclusion
Let's Encrypt provides excellent free certificates, but their 90-day validity requires robust automation and monitoring.
Key Actions
- Configure auto-renewal correctly
- Test renewal regularly with dry runs
- Implement external monitoring that catches failures before certificates expire
- Keep your ACME client updated
- Monitor rate limit usage
The combination of proper automation and independent monitoring ensures your free certificates never cause expensive downtime.
