Let's distrust StartCom. Let's encrypt instead
Recently I noticed that the Opera developer browser had started rejecting the SSL certificate used by my server for this website. It worked fine in Opera, Opera beta, Chrome and Firefox on my PC, and Qualsys SSL Labs still reported the domain with an A+ rating, but for some reason the latest Opera Developer builds simply rejected it. As I would discover later, so too did the latest Chrome Canary builds.
I certainly wondered that, so after initially coming up dry I asked for some help from colleagues at work. One very helpful person soon pinpointed the problem: the StartCom CA that my certificate was issued by has now been distrusted by Google (with good reason). Mozilla had already done this too.
Although initial reports were that certificates issued before October 21st 2016 would not be affected by this distrust,
due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance - hence my certificate no longer being accepted.
Despite this distrust being fairly widely reported in the tech press, I had somehow managed to miss this crucial information, and I certainly didn't receive any notifications about it from StartCom themselves either. Regardless, it needed fixing so I had to find a new (ideally also free) SSL CA.
I had heard about the Let's Encrypt project before, but I hadn't really looked into it in depth. It turns out that they really have made it about as painless as it is possible to be to obtain and install SSL certificates. I opted for using the Certbot ACME client in "certonly" mode and configuring Apache manually both for the verification mechanism and installing the certificate, which was a little more work but still very easy. I now have a brand new multi-domain certificate in use by Apache, Dovecot and Postfix on my server. It should get renewed automatically when needed too with a simple cron job.
Then today I wanted to add another subdomain to the certificate. Absolutely no problem - just reissue the command with the new domain added and then reload the services. Literally as simple as that.