NixOS [1] actually has really great nginx integration with just a single line [2]:
enableACME = true;
This automatically does the ACME thing and sets up systemd units to renew the certificate. Have been using it a while for my (sub)domains and it's worked really well.
I know it's not directly what you've asked for (it's neither apache nor nginx), but the Caddy webserver does just that - almost 0 configuration dealing of the ACME part, auto-redirection from http to https. You still need to tell it what your domain name is, but barely (there's some DNS plugins that make it truely 0 config).
The bug you're thinking of was Caddy would refuse to /start/ if the certificate needed renewing and Let's Encrypt was down.
They fixed that so that it has three weeks grace. Now only if you switch off the server wait until the cert has almost expired (say five days left) then switch it on, Caddy will go "eek, time to renew" and if Let's Encrypt is down it'll give up and the server doesn't start.
This means either Let's Encrypt was down for longer than a decent summer vacation or you switched off your own web site for weeks. Neither of those is a good idea.
No, Caddy never did that. Caddy never stopped serving a site that it started serving. Only by shutting down the server (or sending the appropriate signal) would it stop serving the site.
> We pride ourselves on being an efficient organization. In 2018 Let’s Encrypt will secure a large portion of the Web with a budget of only $3.0M.
I sincerely hope that they don't become like Wikimedia with their ever-increasing scope and bureaucracy. And it might work because Let's Encrypt has a rather specific mission (free TLS certs for everyone), whereas Wikimedia has a rather broad mission (free knowledge/data for everyone).
And for this reason I frowned upon the upcoming wildcard certificates. Adding a new product would cost them, no? I had previously read that wildcard certificates are a non-issue, if the specific certificates are free anyway, as is the obvious case with Let's Encrypt.
wildcard certificates is really only thing missing in their offering. It definitely makes sense for them to also disrupt and offer a quality, more-efficient alternative here.
It's an extension of their offering rather than a new product.
For small deployments you're right. If you have a lot of subdomains coming and going you will hit the Lets Encrypt rate limits real fast. They're generous enough, but I've hit them quite a few times. For certain use cases a wildcard cert just makes way more sense.
One of the things that's very, very difficult with individual certificates and LetsEncrypt's rate limits is to provide subdomains per-customer without leaking details (e.g. usernames) of other customers. If you don't want bob.example.com and alice.example.com on the same certificate, you can have a grand total of 20 users before you hit the rate limits.
This also affects systems like Sandstorm, which use randomly generated, unguessable subdomains per user session per "grain" (document), which may have (small) privacy concerns in some cases. Certificate Transparency would publicly publish every subdomain generated, even if the rate limits weren't a thing.
Wildcard certs really aren't that much trouble to implement. They are more or less removing a restriction that prevented you creating a cert for "*.example.com"
In the long run it might actually save them money by cutting down on the total number of certs their system has to verify and sign.
“If you can't joke about the most horrendous things in the world, what's the point of jokes? What's the point in having humor? Humor is to get us over terrible things.”
― Ricky Gervais
This includes less horrendous things, like the big parties behind LE that request donations? Akamai, Mozilla, Cisco, OVH, Google, etc, I'm pretty sure the running costs of LE is nihil for them. Why ask for donations?
Just saying 'doesn't mean you shouldn't donate' doesn't give ANY reason why you should donate. Those companies want everybody to have https for free right? Then offer it for free and don't start begging for money afterwards? The 2.6 million running costs is change for a party like google, and they pay it with money MADE by raping privacy of the same group of users... you are already paying... why donate?
--
oh your lovely votes forbid me to take the discussion further...
You say makes life easier, but you don't explain how it makes your life easier? Everybody should be capable of running a single openssl command and update configurations of a webserver or other service? (you still need to run LE command, so saves you one handling?)
There are 60+ LE client implementations... because people apparently cant run a single openssl command and update a configuration? Isn't that overkill? In my opinion, for what it 'solves' or how it makes your life easier, it certainly is overkill. And don't forget all the clients need to be maintained, etc etc.
And you certainly underestimate the information that is generated by running LE, the information leaked, (OCSP requests etc) They can monetise it easily (or do shadier things like leak this information to their partners, google Akamai etc), so again, why donate.
> I'm pretty sure the running costs of LE is nihil for them. Why ask for donations?
For one thing, it's not the best idea to depend on a small number of large enterprises for most of your budget. It's not in any way a concern today, but there might come a time when their interests are not aligned with those of the people your organization is trying to protect.
Good question. We are hoping to have a cross-sign from a widely trusted ECDSA root in place. It's non-trivial to make that happen, and it's part of the reason this feature is taking longer than we had hoped.
To be honest it is easy to do multi-sub domain certificates already. Wildcard certificates will only make my life more simple. But unless you need a huge number of sub domains, or dynamic sub domains, it's not really going to change that much.
If anything it will reduce the strain on their servers. Instead of authorising subdomain by subdomain there will be a single authorisation by domain.
It's possible, but a couple of points to consider:
1) Wildcards may have a net negative effect on total issuance if subscribers who were getting many non-wildcard certificates before replace them with a single wildcard. I'm not sure this will be the case, but it could be. I expect wildcards will help move many more sites to HTTPS - perhaps just with fewer actual certs.
2) Wildcard validation from Let's Encrypt will be restricted to DNS validation, and many people don't have the ability to automate modifications to their DNS records. That being the case, it will be a bit more difficult to validate for wildcard certificates than for non-wildcards.
At first I thought it might be so that you could still access their website for support if you had an issue with their CA.
However it seems that https://community.letsencrypt.org/ which would seem a good place to get help is actually using one of their certificates so maybe it's just historical. The certificate dates back to 2015 and expires in next February, maybe they'll replace it by one of their own then.
We set that up before we were an operational CA and it has just never been a high enough priority to replace it. The team that would do it has a lot of other things to do. We'll get around to it at some point.
The broader problem is that expressing changes as percentages is often intrinsically ambiguous. I'm not sure that the way you're choosing to signal the difference is widely appreciated or understood.
It depends on what do you mean by "widely understood". People that deal with numbers know the difference, but other can just read Wikipedia, see https://en.wikipedia.org/wiki/Percentage_point
It may be similar to people not feeling the difference between causation and correlation.
It is a common mistake, I remember that not so long ago my government (Spain) had to amend a law because the initial text incorrectly said % instead of percentage points.
Percentage changes are a scaling factor against the previous number. 1-(new/old) is how it should be calculated. So even though they are comparing two percentages, they can't directly subtract them (new - old). Percentages describe _relative_ change.
Unlike with e.g. prices, the sum total of all web traffic provides a natural ceiling, so new/old (multiplicative) and new/total (additive) are both defensible.
Sure, but you need to be clear about what you're representing. Saying X% implies (because of the % sign and what percentages are...) that its multiplicative while percentage points implies additive (and the article used the %, which made it sound multiplicative, but in reality used the additive value -- lots of confusion!)
People often (incorrectly) use "%" instead of writing out "percentage points". Percentage points increase is the correct figure to use here I think, it's more informative to state that the increase is 21 percentage points than that the improvement is ~50%.
In the short term, some will be worse off, because their current certificates will be valid somewhere between 30 and 90 days, instead of the 0 to 365 that is common with traditional certificates.
Still, it's worth it. I have some private sites that now have TLS thanks to let's encrypt, which were plain HTTP before.
I still wish for a second free, automated CA. Just to have redundancy.
LetsEncrypt has, as the post said, a super tiny (compared to their massive positive impact) budget of just $3 million dollars and the largest companies of the web as backers.
They're never gonna run of of founds - their backers (Mozilla, Akamai, OVH, Cisco, Google, EFF,++++) would never let them.
I could see a situation where, for instance, they do a security audit and are convinced that they need to significantly up their physical or network security to prevent a potential attack.
There's also the possibility of their competitors pushing an agenda with standards bodies that pushes up the cost of PKI to try to freeze them out.
If they charged a token amount I don't think it would be so bad (except for the whole getting it through the bean counters problem), but it would be more lucrative for them to charge people money for raising the rate limits in their system.
Certain people like Akamai are charging exorbitant amounts to manage large numbers of SSL certificates. Just look at their quarterly revenue, it's insane. Other providers could partner with LetsEncrypt and undercut them substantially enough that they could steal customers, but it might mean LetsEncrypt has to scale up their operational limits to do so.
Funny trivia. Recently, our firewall was blocking a ton of smaller websites. Wasn't sure why. Finally got on the phone with Sophos (our firewall manufacturer) to figure out what was going on. Support guy led me through some troubleshooting steps, we discovered that it's blocking Lets Encrypt certificates for whatever reason. He agreed with me that's strange and he'll look into why Lets Encrypt is getting blocked. So strange. Not related to anything at all, just topical trivia.
You could go the keybase route and tie in with various platforms using anywhere that you can post a public message to post "proof".
So if you wanted to sign a windows executable, you'd need to have a microsoft account, and that microsoft account would need a place that you could publicly post a string of text.
Then it's up to the Lets Encrypt service to validate that and cut the certificate
63 comments
[ 3.0 ms ] story [ 134 ms ] thread[1]: https://nixos.org/
[2]: https://nixos.org/nixos/options.html#%3Cname%3E.enableacme
https://github.com/mholt/caddy
(I'm not affiliated, just a happy user)
They fixed that so that it has three weeks grace. Now only if you switch off the server wait until the cert has almost expired (say five days left) then switch it on, Caddy will go "eek, time to renew" and if Let's Encrypt is down it'll give up and the server doesn't start.
This means either Let's Encrypt was down for longer than a decent summer vacation or you switched off your own web site for weeks. Neither of those is a good idea.
So think that qualifies as a good integration.
I sincerely hope that they don't become like Wikimedia with their ever-increasing scope and bureaucracy. And it might work because Let's Encrypt has a rather specific mission (free TLS certs for everyone), whereas Wikimedia has a rather broad mission (free knowledge/data for everyone).
It's an extension of their offering rather than a new product.
This also affects systems like Sandstorm, which use randomly generated, unguessable subdomains per user session per "grain" (document), which may have (small) privacy concerns in some cases. Certificate Transparency would publicly publish every subdomain generated, even if the rate limits weren't a thing.
In the long run it might actually save them money by cutting down on the total number of certs their system has to verify and sign.
Don't forget the past :)
― Ricky Gervais
This includes less horrendous things, like the big parties behind LE that request donations? Akamai, Mozilla, Cisco, OVH, Google, etc, I'm pretty sure the running costs of LE is nihil for them. Why ask for donations?
Definatly for something that makes your life easier ( it does mine)
-- oh your lovely votes forbid me to take the discussion further...
You say makes life easier, but you don't explain how it makes your life easier? Everybody should be capable of running a single openssl command and update configurations of a webserver or other service? (you still need to run LE command, so saves you one handling?)
There are 60+ LE client implementations... because people apparently cant run a single openssl command and update a configuration? Isn't that overkill? In my opinion, for what it 'solves' or how it makes your life easier, it certainly is overkill. And don't forget all the clients need to be maintained, etc etc.
And you certainly underestimate the information that is generated by running LE, the information leaked, (OCSP requests etc) They can monetise it easily (or do shadier things like leak this information to their partners, google Akamai etc), so again, why donate.
PS. I think your issues with Google are severly clouding your judgement.
I wouldn't be so naive about them, but have nice easier life weekend :D
Enjoy your trust in big parties still?
For one thing, it's not the best idea to depend on a small number of large enterprises for most of your budget. It's not in any way a concern today, but there might come a time when their interests are not aligned with those of the people your organization is trying to protect.
shouldn't it get less again? if i use ~8 certs for different servers, i could just get a wildcard for my domain and be done with it...?
If anything it will reduce the strain on their servers. Instead of authorising subdomain by subdomain there will be a single authorisation by domain.
1) Wildcards may have a net negative effect on total issuance if subscribers who were getting many non-wildcard certificates before replace them with a single wildcard. I'm not sure this will be the case, but it could be. I expect wildcards will help move many more sites to HTTPS - perhaps just with fewer actual certs.
2) Wildcard validation from Let's Encrypt will be restricted to DNS validation, and many people don't have the ability to automate modifications to their DNS records. That being the case, it will be a bit more difficult to validate for wildcard certificates than for non-wildcards.
https://letsencrypt.org reports Identrust.
However it seems that https://community.letsencrypt.org/ which would seem a good place to get help is actually using one of their certificates so maybe it's just historical. The certificate dates back to 2015 and expires in next February, maybe they'll replace it by one of their own then.
No no no... That's a gain of 50% (give or take) or 21 percentage points; not a gain of 21%.
It may be similar to people not feeling the difference between causation and correlation.
It clearly doesn't talk about the gain of a percent of a percentage.
This allows a competitor (even a commercial) one to fill in the gap left by letsencrypt if they stop issuing certs.
Still, it's worth it. I have some private sites that now have TLS thanks to let's encrypt, which were plain HTTP before.
I still wish for a second free, automated CA. Just to have redundancy.
They're never gonna run of of founds - their backers (Mozilla, Akamai, OVH, Cisco, Google, EFF,++++) would never let them.
There's also the possibility of their competitors pushing an agenda with standards bodies that pushes up the cost of PKI to try to freeze them out.
If they charged a token amount I don't think it would be so bad (except for the whole getting it through the bean counters problem), but it would be more lucrative for them to charge people money for raising the rate limits in their system.
Certain people like Akamai are charging exorbitant amounts to manage large numbers of SSL certificates. Just look at their quarterly revenue, it's insane. Other providers could partner with LetsEncrypt and undercut them substantially enough that they could steal customers, but it might mean LetsEncrypt has to scale up their operational limits to do so.
I understand though, code signing will be much harder to automate and maybe not so fit for purpose...
So if you wanted to sign a windows executable, you'd need to have a microsoft account, and that microsoft account would need a place that you could publicly post a string of text.
Then it's up to the Lets Encrypt service to validate that and cut the certificate