1. 51

  2. 4

    This is great to hear! I’ve been using Let’s Encrypt for a client’s site and it’s been awesome to use.

    1. 1

      Which OS and client?

      1. 1

        Well, the certificates are generated on the server, which is a Linux machine. I’m using the certbot tool to generate the certificates, which admittedly isn’t an ideal choice considering it’s a web app, but it’s the first thing I found, it was easy to get started with, and I didn’t have a whole lot of time to write something that talked to the ACME API directly. That’s for a future update :)

    2. 2

      This is disappointing.

      With an automated, zero-cost CA, there are very few legitimate cases for wildcard certificates, and the risks increase with their use.

      I don’t understand why LE couldn’t simply allow for higher thresholds on certificate issuance, and instead support certificates that are actually a worthwhile goal: free S/MIME that doesn’t involve suckling at the Comodo teat.

      1. 8

        The biggest use case for wildcard certs is SaaS. If I have 10,000 SaaS customers with hosted domains like customer.example.com, LE wouldn’t want to issue (and renew!) that many certs. It also may exceed their rate limiter.

        1. 3

          Yes, this is exactly why I can’t use LE for my business right now.

          1. 2

            LE creates SAN certificates, which let you group together multiple domains under one certificate. So you can use LE for a SaaS product like this if you’re clever about automatically grouping domains together. See: https://letsencrypt.org/docs/rate-limits/

            1. 5

              I know that LE can support up to 100 domains in the same certificate with SAN certificates. But I feel like the complexity implied by grouping domains together is not worth the few hundred bucks of a wildcard certificate.

              1. 2

                I’ve not known many companies that want to publish their full customer list so publicly :)

          2. 4

            What are the risks for wildcard certificates?

            1. 2

              I do like the option when it’s there. For example when SNI is not available and you are running low on IPs.

              1. 0

                The main concern is phishing.

                If you look at your URL bar and see a green lock next to https://www.paypal.com.mysite.biz/login.php, you’re a lot more likely to log in.

                1. [Comment removed by author]

                  1. 3

                    I agree. If you can prove you own the domain, shouldn’t you be able to call your domain whatever you want and get a certificate for it?

                    So the real risk, it seems to me, is in the way you show that proof. If the CA asks for this proof in a way that’s not secure, that to me would be a problem.

                  2. 7

                    You may be interested to know that browsers limit wildcard certs to one level deep, for this reason.

                    1. 2

                      What does this risk have to do with phishing?

                      In any event, the CAs aren’t the right place to solve phishing, services like SafeBrowsing are.

                  3. 1

                    I like supporting wildcards but I do wish they’d dramatically increase the rate limits and decrease the suspension time. Getting banned for a week after a fuckup or bug is nuts.

                    1. 1

                      Agreed 100%.

                  4. 1

                    This is great news! Just last night I realised I needed one for a project, was trying to find the cheapest option. Guess I might wait :D

                    1. 1

                      This is a good candidate for the release tag, since it’s a new feature being released/announced.

                      1. 2

                        Good point. Will remember next time.

                        1. 1

                          No worries. :)