[founderling]

Because there is only one free certificate provider (lets encrypt) and it does not allow wildcard certificates via server authentification.

Having the DNS credentials laying around on the server is not a good idea. So creating wildcard certs via letsencrypt is a huge pain in the ass.

If a webmaster has control over somedomain.com I think that is enough to assume he has control over *.somedomain.com. So I think letsencrypt should allow wildcards to the owner of somedomain.com without dabbling with the DNS.

The way things are now, I don't use ssl for my smaller projects at smallproject123.mydomain.com because I don't want the hassle of yet another cronjob and I sometimes don't want the subdomain to go into a public registry (where all certificates go these days).

[kuschku]

> Having the DNS credentials laying around on the server is not a good idea. So creating wildcard certs via letsencrypt is a huge pain in the ass.

That's absolutely unnecessary

Set a NS record for _acme-challenge.domain.tld to your own nameservers, e.g. ns1.myowndomain.tld

And have your own name servers only serve the _acme-challenge.domain.tld zone.

Now you can just use the RFC DNS updater with your ACME client without any need for credentials for the actual domain.tld zone.

I use this currently with my own kuschku.de domain, you can check it out.

dig +trace @8.8.8.8 _acme-challenge.kuschku.de ANY

[Ajedi32]

There's also ACME-DNS, which is a DNS server designed specifically for that use case: https://github.com/joohoi/acme-dns

[sturgill]

AWS certificates are free. Cloudflare will also put SSL in front of your origin for free.

So if you’re using AWS you get it for free. Or you can slap CloudFront or Cloudflare in front of your origin.

I think the barrier is low enough that I SSL all the things (including my small side projects).

[tbyehl]

> Cloudflare will also put SSL in front of your origin for free.

Used to be everyone complained about CF putting SSL in front of HTTP origins.

However, CF can also issue a CF-signed certificate with a stupid long expiration for your origins[1] and validate it. This is how I fully SSL many of the things while avoiding potential headaches with LE / ACME. Combine with Authenticated Origin Pulls[2] and firewalling to CF's IP ranges[3] for further security.

Of course, that still leaves CF doing a MITM on all my things.

[1] https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

[2] https://blog.cloudflare.com/protecting-the-origin-with-tls-a...

[3] https://www.cloudflare.com/ips/

[mattferderer]

Azure just released free SSLs as well after years of feedback - https://docs.microsoft.com/en-us/azure/app-service/configure...

Static hosts like Netlify & GitHub also enable free SSLs. The barrier is so low most people trip over it.

I am sure there are still very unique edge cases though. If I had one of those edge cases I would sit down & really weigh the pros & cons though of not using HTTPS. I would not take it lightly.

[hitpointdrew]

> AWS certificates are free.

"Free", but you can only use them on AWS stuff. AWS makes it nice and easy (and does a bunch behind the scenes for you). Part of that behind-the-scenes is that they have control of the private key on their side. You want to use the AWS generated cert locally, or on another provider, too bad.

[sturgill]

You’re right, but it’s pretty simple to slap CloudFront (or Cloudflare) ahead of those origins if you need to in a pinch. I don’t work for Amazon (and have no dog in the fight) but I am a fan of AWS. And if you’re ever using AWS for anything, there’s no reason to _not_ use their free certs.

Someone else mentioned Azure having a similar offering (I’ve never played with Azure so I can’t speak to it). And if 2/3 of the providers offer it, I’d imagine GCP will at some point as well.

I love how easy it’s becoming to launch SSL. LetsEncrypt did a lot to make it mainstream. I’ve never used LE but I am grateful for their impact on our industry.

[heydabop]

> I think the barrier is low enough that I SSL all the things (including my small side projects).

Same here. If you have a domain then you should have a cert, it's not that hard today.

My wife wanted a website that's pictures of our dog as a joke, right now it's a single img tag. The second thing I did after that was getting an HTTPS cert and forcing redirection.

[tyingq]

Maybe you saw this, but you can make _acme-challenge.domainA.tld a CNAME to _acme-challenge.domainB.tld. Where domainB is a throwaway domain used only for validation. There are some TLDs that are pretty cheap per year.

[founderling]

That might be a step forward. Still a bit complex, but maybe worth considering.

Would that work for mulitple domains? So I CNAME the _acme-challenge subdomain for all my domains to _acme-challenge.cheapthrowaway.com?

[tyingq]

It's supposed to work as long as your DNS provider can return multiple TXT records. Some can't, due to a lousy UI in the admin panel.

[tialaramex]

Certbot might not do this out of the box but ACME lets you pass one challenge at a time, collect a new one, repeat. The tokens which show you passed a challenge will "keep" for at least hours and it might even be days (when Let's Encrypt was new it was weeks!) so you can collect them up to get your cert over a time period.

So, as long as the challenge taking is serialised you can get away with just giving a single TXT answer at a time.

[kuschku]

You can even just set NS records for _acme-challenge subdomain to your own DNS server.

And then have your acme client auth against that one.

No need for a new domain.

[tyingq]

True, though running your own DNS server or paying for another DNS provider may be similar in effort or expense...as compared to a throwaway cheap TLD domain that comes with DNS.

[kuschku]

As it's a DNS server that only ever serves certificate validation requests, and doesn't need 100% uptime, a normal simple BIND or knot is good enough.

[namibj]

I'd expect it to be built in to certbot like serverauth.

[benjojo12]

There is a 2nd ACME free CA these days based in Norway: https://www.buypass.com/ssl/products/acme

I used it on a pervious post to test it out and it seemed to be fine: https://github.com/benjojo/you-cant-curl-under-pressure/comm...

[founderling]

Did you miss the "free" in my comment or am I missing something?

[benjojo12]

To quote the link in my reply to you:

> Buypass Go SSL

> It is free! Issued in Scandinavia based on the industry standard ACME.

I posted a diff showing the patch you can use to switch go's crypto/acme/autocert to use it.

The CA does sell paid SSL product, but they also have a free ACME endpoint that issues 6 month certs.

Here is an example of what one of the certs look like: https://crt.sh/?id=2075589060

[tyingq]

The wildcart cert from them isn't free, or even inexpensive.

[founderling]

    It is free!

Something might be free there. But not the wildcard certs we are talking about.

[jefftk]

Your post said several things, but one was "there is only one free certificate provider (lets encrypt)". Pointing out that there's actually a second ACME one is a useful response, at least to me, since I think a lot of us still thought LE was the only option.

[necovek]

StartCom/StartSSL used to issue free certificates even before LetsEncrypt appeared, and it was a much bigger hassle to get verified, but at least they were valid for a full year. Not sure if they still do, and they didn't allow for multiple servernames in one cert.

[pricechild]

I run https://github.com/joohoi/acme-dns to solve the wildcard domain problem.

You can run it yourself locally, or trust (why?) the upstream's service.

[founderling]

Can you run it locally on your laptop?

I think you still need a steady hostname pointing to it, right?

[hiddensquid]

Would duckdns.org provide the steady hostname needed?