Security

Let's Encrypt automation without surprises

Certificates are getting shorter-lived. The real work is not getting the first cert, but proving renewal, reload, DNS access, and alerting still work.

The easy part of Let's Encrypt is issuing the first certificate. The part that keeps sites online is renewal automation. A certificate automation plan should prove four things: validation can happen, the new certificate lands in the right place, the web server reloads, and someone notices before expiry if any step fails.

Choose the challenge by topology

ChallengeBest fitMain limit
HTTP-01Simple public web serverNeeds port 80 and no wildcard issuance
DNS-01Wildcard certs or complex routingNeeds DNS API automation and careful token scope
TLS-ALPN-01TLS-aware automation on port 443Less common in simple hosting setups
Let's Encrypt recommends client defaults or HTTP-01 when unsure, but the right answer depends on network shape.

Shorter lifetimes change the margin

Let's Encrypt announced a staged reduction from 90-day certificates to 45 days by 2028. The article also says that a hardcoded 60-day renewal interval will no longer be sufficient when 45-day certificates are in use. That means renewal logic should follow the ACME client and CA signals, not a calendar habit someone wrote years ago.

A renewal check that catches real failures

  1. Run a staging or dry-run renewal after every certificate automation change.
  2. Verify the web server can reload without syntax errors.
  3. Check that the served certificate changed when a renewal happens.
  4. Alert on expiry at 30, 14, and 7 days.
  5. Keep DNS API tokens narrowly scoped and rotate them when staff or systems change.

Rate limits are a design signal

Let's Encrypt's rate limits are generous for normal renewals but painful for broken loops. If you are testing automation, use the staging environment. If your script creates accounts or requests certificates repeatedly, rate limits are telling you the automation is not safe enough for production.

The small-site default

For a single VM with Nginx or Caddy, use the web server's documented ACME path or Certbot packages that install a timer. For wildcard certificates, prefer a DNS plugin with the smallest possible token scope. Avoid manual certificates unless the site is temporary and someone owns the renewal calendar.

Sources

  1. Let's Encrypt challenge typesHTTP-01, DNS-01, and TLS-ALPN-01 behavior.
  2. Let's Encrypt rate limitsToken bucket limits and staging recommendation.
  3. Let's Encrypt getting startedACME and Certbot guidance.
  4. Let's Encrypt FAQ90-day DV certificate and renewal guidance.
  5. Let's Encrypt 90-to-45 day announcementPublished certificate lifetime reduction timeline.
  6. Certbot instructionsRenewal timer and dry-run practices.