Suggestions on how to smooth out SSL certificate renewal process?
October 15, 2018 1:45 PM   Subscribe

I've just taken a job at a web design company where I am responsible for renewing SSL certificates for quite a few domains every month. What is a good workflow for making the process smoother and more efficient?

While I've renewed certs in the past, the volume here is far greater, dozens a month, and different companies with different email systems. Where I'm running into trouble is the very end - when the cert service sends a link to the admin email address for the domain, oftentimes there is no mailbox there or it's sent to someone that doesn't work at the company anymore. Unfortunately the certificate won't be sent unless that link is clicked.

I've been phoning these companies and asking them to look for these emails and click the link in them but this is tedious and frustrating. I'd like to set something up so that the emails go to an address that we - the web design co - have access to and can just click the links for our clients.

So how do you super cert people do it? Is there something I can set up to streamline this process any better? The employee I replaced left before I started so I can't ask his advice. I am using WHCMS and CPanel if that matters.

Thank you!
posted by dozo to Computers & Internet (16 answers total) 2 users marked this as a favorite
 
Let's Encrypt.

Renewal Just Happens(tm).

There are some caveats - if you need EV certs, this won't work for you. But it should work for almost everything else.
posted by buxtonbluecat at 1:48 PM on October 15, 2018 [4 favorites]


You can also set up alerts in nagios or what have you. Check for certs that are about to expire. You can even start with email, then move to paging on them.
posted by poe at 1:56 PM on October 15, 2018


Response by poster: Just to be clear, being notified of them in a timely manner is not a problem. I'm trying to cut out the part where I have to contact - or otherwise rely upon - the end user / client.

We do have Nagios set up to alert us about dang near everything else. Nagios rules!
posted by dozo at 2:17 PM on October 15, 2018


You need access to those "admin@thedomain.tld" type email inboxes. I don't know any other way around that.
posted by humboldt32 at 2:37 PM on October 15, 2018


AWS Certificate Manager automatically AWS renews certs: https://aws.amazon.com/certificate-manager/
posted by askmehow at 3:04 PM on October 15, 2018


Can you use a certificate authority that does http or dns verification for DV certs instead of email (Let's Encrypt is one such option, though their certs last 90 days so they'd expect you to use their handy tools to automate the renewal process). This would allow you to renew the certificates by proving control of the domain without needing the clients to do anything in their email, which is the first step to getting this entirely automated.
posted by zachlipton at 3:19 PM on October 15, 2018 [2 favorites]


I control a couple of second level domains that have a lot of subdomains for different far flung internal customers hanging off of them, who are using a variety of cert providers. Here is my experience:

#1 Different cert providers take different approaches to validating domain ownership. While the most common for sure is email, some of the high end providers will call on the phone, and some will let you demonstrate control of the domain by either setting a TXT record in the DNS zone with a special value they provide, or by setting up a web page on the domain at a URL they provide. Even within email, some providers look up the ICANN contact info and - if it is published - use that to email me at my "real" email address; some just guess and spray email to generic addresses like admin@ or webmaster@. The point here is that your current provider might allow other methods besides email, but are just defaulting to email.

#2 On creation and on renewal, the domain owner is sometimes given the option (in the email scenario) of auto approving future orders. Again, this varies by cert provider.

#3 The domain validation process can change without warning. One of the CAs I deal with decided to hold up any renewals until they could confirm me over the phone. Because of a left hand not talking to right hand thing, they ended up independently confirming me three or four times over a two month period. I expect they had some kind of audit finding they were working through.

Bottom line here is the domain ownership part of the process is implemented a little differently at each cert provider. You'll want to build a catalog of all of your outstanding certs, if you don't already have that, and research the specific process for your current provider (assuming it is just one, or at least less than a handful) and then plan accordingly. This will probably require a phone call to tech support for the provider to discuss. If you want to hear about who are the best and worst cert providers to deal with, you can memail me.

PS Common cert durations are one or two years, you might have some older certs that were set up for three years. The advice up thread about switching everyone to a different provider will take a couple of years to work through. Also, generically a new cert issuance is more rigorous than a renewal, so a switching approach will get worse for you before it gets better.
posted by kovacs at 3:42 PM on October 15, 2018


Ironically this is one of the primary purposes of Let's Encrypt: shorter lived certificates (90d) so it's worth the effort to automate. As @askmehow mentioned if you're on AWS an using them for SSL termination (Load Balancers, etc) you can get this for free. Similarly CloudFlare will handle this for you automatically as well. It's worth considering these if only that you can get it setup relatively quickly and they handle any corner cases/monitoring alerting out of the box.

Even without an external service you (a) have customer DNS pointing to your server (b) can serve arbitrary text files with verification codes you can fully automate this with Let's Encrypt Domain Validation (DV) certs and a few scripts. If you're spending an hour a month on this it'll quickly payback the few hours to fix this problem once and for all. You can even include this as a line item feature in customer contracts.
posted by notpeter at 4:56 PM on October 15, 2018


Venafi does this.
posted by oceanjesse at 6:19 PM on October 15, 2018


You might want to check out Certbot for use with Let's Encrypt. It's a tool that automates obtaining and renewing LE certs.
posted by cirgue at 7:05 PM on October 15, 2018


Most SSL renewal processes I've seen will pull any email address listed in WHOIS, so can you have the customers list you in the WHOIS Technical Contact section?
posted by Nonsteroidal Anti-Inflammatory Drug at 8:31 PM on October 15, 2018 [1 favorite]


SSLmate? A college friend wrote it and at first glance it seems to do what you want.
posted by batter_my_heart at 8:49 PM on October 15, 2018


NSAID's method is how we've been managing this (on a scale of tens of domains, not hundreds or thousands), or at least we did until our cert vendor started doing HTTP verification, which is somewhat easier than dealing with the hassle of setting up a truly shared role email account.

There's are reasons there are multiple contact record types, and this is one of them.

That said, the relevant RFCs require that one or more of the default role emails they allow you to use for verification require they exist and accept mail, so maybe you would find it easier in the long run to contractually obligate your customers to provide access to one or more of those required addresses to you. (Don't worry, at least 90% of us completely ignore the requirement for working postmaster/postmaster/whatever addresses, so you are in good company if you don't either. If someone needs a legit address, they can find one in all of our SOAs)
posted by wierdo at 12:33 AM on October 16, 2018


Like a few people have said aleady, Let's Encrypt / Certbot is the way to go. It won't work on EVERY domain, some don't have the proper CAA record, others have too many certs already, so try to verify them first.
Three useful sites to check before trying certbot:
https://caatest.co.uk/
https://dnsspy.io
https://crt.sh/
Searching for the domain in those will help find if it has a CAA record that denies Let's Encrypt, and if it already has Let's Encrypt certs.
posted by Blake at 4:39 AM on October 16, 2018 [1 favorite]


Response by poster: Thanks for the suggestions, everyone. I'm a huge fan of LE personally (I host my own domains on a couple of VPS using Virtualmin which has a dead simple LE module that takes care of EVERYTHING), but the team here isn't on board yet.

SSLMate looks really cool! I'll have our sysadmin put it on a testing server but it seems to be almost the same as LE. We'll see what happens.

I'm considering putting us on the technical contact, which seems the most feasible option in my snowflake situation. I also like contractually obligating the clients to have the emails set up but that still doesn't really solve the problem. What happens when they don't set it up? Back to square one, essentially.

Anyway, thank you all and if I find a good solution I'll update this post.
posted by dozo at 8:08 AM on October 16, 2018


Response by poster: I've been able to work something out. Our cert provider sends us the certificate via email after the validation is done (we use file because we control the hosting and it is trivial to add a file). I don't even need to contact anyone at the sites.

Hopefully that helps someone. It has made a terrible burden manageable.
posted by dozo at 1:08 PM on November 7, 2018


« Older Quiet Restaurant in Owings Mills, MD   |   Is there a word for the need to have a connection... Newer »
This thread is closed to new comments.