1. 15

  2. 33

    There’s no flag for “ranty to the point of being misleading”, but i wish there was for this.

    The author is not using LE because of seeing how the sausage is made (in one unnamed implementation), looking at another thing which claims it’s better than LE and failing to deliver. Then writes a post as a warning without actually mentioning which service was bad. Plus a rant about using json in a specific, narrow way, but confusing it with generic json which can be reformatted. There’s no real takeaway from this.

    1. 11

      I wanted a similar flag after reading it. My first reaction was “wait… LE doesn’t work anything like that” before I properly accounted for her move away from LE to some other “modern” thing that she also found unsatisfying.

      I get the gripes about ACME. I really do. But having implemented many ways to submit and vet PKCS#10 (among them CMP a couple different ways, just one of which was CMC) they don’t land for me. ACME and LE were not a degradation of the ecosystem in my view, and I think viewing the “old-school” certificate as less terrifying is likely a sign that the details of that issuance were not scrutinized to the same leel.

      This was a misleading rant from a site that I normally don’t find particularly misleading, or all that rant-y.

      1. 3

        ACME and LE were not a degradation of the ecosystem in my view, and I think viewing the “old-school” certificate as less terrifying is likely a sign that the details of that issuance were not scrutinized to the same leel.

        I think this is the most important point. As much as we could further improve ACME, it’s already doing better by a lot.

      2. 6

        I have to agree with you. Just a long rant about obscure usage patterns, unnamed services and tools, and a link about long lines being like punting puppies.

        It feels like a developer stuck in their ways, which is fine, but it’s like old man yelling at the clouds. or get off my lawn mentality.

        Random tangent line lengths, and a link to a post from 2012, that complains about IDEs and NEtbeans from 2008.

        1. 4

          I get where the author is coming from though. Quickly glancing over the ACME RFC makes me want to pull my hair out.

          These protocols are not designed to be as simple as possible, i.e. an exact match for the problem they try to solve (get a CA signed cert on your disk), but an opportunity to pull in as many “standards” as one can, i.e. the by now ubiquitous “solution looking for problem” disease.

          Perhaps this is a bit too cynical, but with a self-signed TLS client certificate (your account credential) and a few simple HTTP “form” POST requests you pretty much have everything you need to implement domain validation. No need for JSON, let alone JOSE/JWTs.

          1. 5

            I’ve read the RFC, but don’t find it bad at all. Sure, you could use form post encoding instead, not then the RFC would have to grow to explain how you sign every request, how to annotate algorithms, how to deal with invalid parameters, how to prevent replay issues, etc. Then it would have to be updated every time there’s change to JWT-equivalent and others. I believe they made a good choice of saying basically “for signing details look at this other RFC”. They did a good job of describing the needed minimum + providing extension points.

        2. 11

          I immediately deleted my account and marked the experience as one worthy of warning others.

          I don’t understand why the name of the company isn’t in there, then. Is it meant to be obvious from context?

          1. 1

            I think it’s https://zerossl.com/ but they have a pricing link on the homepage, so I don’t really like the argument that it was hidden.

          2. 8

            The author has posted a follow-up.

            1. 7

              Have something changed at Let’s Encrypt? I have a free account for a long time. I use it with over two dozen domains regularly. Never ran into limits. Did OP misread some fine print or is it just negative mood from the outset?

              1. 8

                This isn’t about Let’s Encrypt.

                found this other site which claimed to be better than LE and which used relatively simple HTTP requests without a bunch of funny data types.

                I went through all of their API docs.

                It was this unnamed other site with the ostensibly better api that had the limits.

                1. 2

                  Yeah, same. Would be nice if that blog post included some links/citations.

                  1. 1

                    It was some unnamed other, similarly “not old school” site that is getting lumped in with Lets Encrypt which had the limitations. I was similarly tripped up on my first couple reads of this post.

                  2. 6

                    I’ve always used acme_tiny.py, https://github.com/diafygi/acme-tiny as my letsencrypt client. It’s short, reasonably readable & does the bare mininum required to grab a cert & get out of your way.

                    1. 6

                      The simplicity of caddy (both for general setup and as an ACME client) coupled with the quality of its reverse proxy implementation leave me using it most of the time I want a cert from LE these days.

                      1. 4

                        I am very much in the same camp. I now use Caddy or Traefik depending on context, give it a cloudflare dns api key, and let it do it’s magic. Gets a wildcard certs, smartly re-uses it for matching domains.

                        In the context of caddy, the config file is tiny and does so much by default. I use it primarily nowadays.

                        1. 3

                          Caddy uses the certmagic package to manage auto-renewal of certs, via Let’s Encrypt, for the configured domain names. There is an autocert package with similar functionality in the golang.org/x/crypto module.

                          So, if anyone doesn’t want to use caddy or prefers to write their own HTTPS reverse proxy, with autocert it is as simple as:

                          domains := []string{
                          m := autocert.Manager{
                              Prompt:      autocert.AcceptTOS,
                              Cache:       autocert.DirCache("dir/to/save/certs"),
                              HostPolicy:  autocert.HostWhitelist(domains...),
                              RenewBefore: 28 * 24 * time.Hour, // renew roughly 28 days before expiry
                          s := http.Server{
                              Addr:      ":443",
                              Handler:   revProxy, // your multi-host reverse proxy implementation
                              TLSConfig: m.TLSConfig(),
                          log.Fatal(s.ListenAndServeTLS("", ""))

                          (Arguably, the examples in the package docs are even simpler—a one-liner, but I wanted to make some things, such as accepting the terms of service, explicit here.)

                          This listens on port 443, obtains the necessary TLS certs, writes them to disk at the specified path, and renews them in a background goroutine 28 days before their expiries. You can also add/remove domains in the list and restart the program; autocert handles the change transparently—obtaining only the missing certificates.

                    2. 5

                      You can do a DNS acme challenge for a wild card cert if you really want to. The other thing I do not want to I do is to manually go out do the CSR email verisign pay them $100 etc etc etc. I personally think that the demise of self-sign certificates was a sad day because the only certificates that I trust are the ones I sign myself.

                      1. 1

                        You can still make your own root certificate and use that to mint leaf certificates.

                      2. 3

                        She didn’t name the cert provider, but my guess is that it’s ZeroSSL. I looked into them when Let’s Encryot switched its upstream CA, and something I used didn’t support the new LE CA. I didn’t examine the ZeroSSL API, but I recall it wasn’t quite certbot-compatible, in a frustrating way.