Failing to Renew

[mmsigi]

Mainly just commenting with some honest feedback here. I've been using this extension for the last couple years, and I feel like it's more trouble than it's worth. Back when we manually renewed certs, we'd do it once every 2 years, and that was it, whereas I constantly have to babysit this extension.

Issue #1: It constantly requires updates.

We have about 20 websites, each with at least 2 slots, so whenever there's an update, we have to open every single slot for every single website and manually update the extension. This alone takes more time than renewing the certs the old way every 2 years.

Issue #2: It constantly fails.

Every 3 months I need to go out and manually check each website to ensure an update actually took place because I can't trust the auto renew functionality. I don't find the automated emails helpful. I don't need to know that "the certificate will expire in 20 days." What I do need is an email explicitly telling me that a renewal has failed (if the "cert will expire in X days" is meant to serve as a failure, then that's not clear - if it's meant to be a failure email, then make it a failure email). For a cert that just expired, I received a "cert will expire in 10 days" email, but then nothing else. So it creates a situation where I don't ever know what's going on without going out and checking (i.e., I don't know if it auto renewed after the 10 day email was sent). Nothing was ever sent to tell me it expired. The time it takes to check 20 different websites 4 times a year isn't even the biggest issue - it's that occasionally, one will slip through the cracks, and then I wake up one morning with complaint emails from a dozen different people in my company telling me a website is broken. Also, since multiple people need access to these emails, we are forced to send them to a shared mailbox, where they can get lost. It would be helpful to be able to have them sent to multiple mailboxes.

This extension would be great if it was reliable and could be trusted, but over the past two years, I haven't been able to use it for any meaningful length of time without experiencing failures.

[ohadschn]

You could probably write a PowerShell script that updates all your sites. You could also connect the WebJobs to Zapier notifications which should let you know if anything went wrong (possibly using a script too, not familiar with Zapier APIs).

Alternatively, I've written a WebJob over this extension's core code that addresses most of your concerns I believe (some similar ones I had led me to build it): https://github.com/ohadschn/letsencrypt-webapp-renewer. Haven't had time to update it in a while but I'm still using it personally for my websites...

[sjkp]

@mmsigi - Thanks for you feedback. It is always annoying when something free doesn't work as you want it to. But like I clearly state in the readme it is a hobby project without any enterprise support (sounds like your use case is a little more professional), and if you care about the uptime of your sites, you should go with an Azure supported (but not free) way of setting up SSL.

I agree that the update model for site extensions are not very great, but I cant fix that. However there has been one update to the siteextension in the last year (I wouldn't exactly call that constantly need for updating). It was trigged by a change in intermediate certificates from Lets Encrypt, not something that I'm in control of. Before that, there was more frequent updates because we were still ironing out bugs and adding features.

The email notification feature from Lets Encrypt works flawlessly for me. If you get a Lets Encrypt warning email then you need to take action, you should never receive it, if everything is working as it should, as the certificate should be renewed 21 days before expiration.

Dont get me wrong, I would love to fix this extension so it was perfect, but to be honest the siteextension model+webjob is not the right fit for the job, however it is still a solution, so for now I consider it to be in support mode for those people who benefit from it. Building an alternative and more perfect solution, based on the knowledge gained from this project, and the advances of Azure, is not something that I'm willing to invest my spare time in, knowing that Microsoft can make it obsolete over night by providing their own certificate service. Something I honestly thought they would have done a long long time ago. The alternative of building a pay-to-use service is in my opinion unfair to an otherwise great open source service from Lets Encrypt. So that leaves us where we are today, not in the most ideal place for a use-case like yours.

[vinsuz]

I was reluctant to respond to the comment from @mmsigihttps://github.com/mmsigi to avoid unnecessary clutter in everyone’s inbox, but as an early adopter of Simon’s extension, and despite a few bumps in the road, I am grateful for everyone’s contributions to this little “hobby”! We are a small shop with over a dozen Web apps using the Azure Let’s Encrypt extension, each with several domains, so even if we have to update the extension occasionally, the benefits far exceed the minor and infrequent drawbacks.

Thank you again Simon and all other contributors; this extension has saved us thousands of Dollars (Euros, Pounds, Yen, Rubles, etc.) over the years!

From: Simon J.K. Pedersen notifications@github.com Sent: Tuesday, March 2, 2021 11:08 AM To: sjkp/letsencrypt-siteextension letsencrypt-siteextension@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [sjkp/letsencrypt-siteextension] Failing to Renew (#385)

@mmsigihttps://github.com/mmsigi - Thanks for you feedback. It is always annoying when something free doesn't work as you want it to. But like I clearly state in the readme it is a hobby project without any enterprise support (sounds like your use case is a little more professional), and if you care about the uptime of your sites, you should go with an Azure supported (but not free) way of setting up SSL.

I agree that the update model for site extensions are not very great, but I cant fix that. However there has been one update to the siteextension in the last year (I wouldn't exactly call that constantly need for updating). It was trigged by a change in intermediate certificates from Lets Encrypt, not something that I'm in control of. Before that, there was more frequent updates because we were still ironing out bugs and adding features.

The email notification feature from Lets Encrypt works flawlessly for me. If you get a Lets Encrypt warning email then you need to take action, you should never receive it, if everything is working as it should, as the certificate should be renewed 21 days before expiration.

Dont get me wrong, I would love to fix this extension so it was perfect, but to be honest the siteextension model+webjob is not the right fit for the job, however it is still a solution, so for now I consider it to be in support mode for those people who benefit from it. Building an alternative and more perfect solution, based on the knowledge gained from this project, and the advances of Azure, is not something that I'm willing to invest my spare time in, knowing that Microsoft can make it obsolete over night by providing their own certificate service. Something I honestly thought they would have done a long long time ago. The alternative of building a pay-to-use service is in my opinion unfair to an otherwise great open source service from Lets Encrypt. So that leaves us where we are today, not in the most ideal place for a use-case like yours.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/sjkp/letsencrypt-siteextension/issues/385#issuecomment-789020053, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFCZ5CTRH7TCWE6X2TMQGD3TBUEPLANCNFSM4YMVHXAQ.

[ohadschn]

Nice timing... App Service Managed Certificate (Preview) Now Supports Apex Domains