ChrisBell.eu

You WILL use LetsEncrypt. StartSSL certs invalid overnight.

“You WILL use LetsEncrypt.”
A client recently complained a securely hosted widget was loading without styling (stylesheet not loading). Seemed to look fine in both Chrome and Firefox.

Then I updated to the most recent version of Firefox, and I could see the issue in all its glory. A hard refresh in Chrome also surfaced the issue - presumably clearing out any cert related caching.

Google, Mozilla and gang have taken it upon themselves to give my default SSL cert provider (StartSSL) an almighty pasting, stamping countless websites overnight as being “insecure”.

The unfortunate thing is I actually planned on moving over to LetsEncrypt last November, but running certbot caused utter chaos on my server and I decided to stick what I know best - StartSSL certs.

With my hand forced, I gave LetsEncrypt another shot, this time choosing getssl as the method of installation. It was very satisfying to see the whole process automated, and I’m relatively glad to call myself a late convert. The real test will be in 3 months time to see if the certificate will automatically renew.

I guess everyone got what they wanted in the end? Everyone except for StartCom that is.

Further reading

[](https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/)

https://ma.ttias.be/despite-revoked-cas-startcom-wosign-continue-sell-certificates/

http://webmasters.stackexchange.com/questions/103405/installing-startssl-certificate-under-apache-gives-sec-error-revoked-certificate