Hacker News new | ask | show | jobs
by mholt 2050 days ago
ACMEz* ;)

Seconding regecks' comment.

We're gradually making ZeroSSL a default CA for Caddy.

(I am currently implementing multi-CA support into Caddy and CertMagic, so that Caddy will be able to use both Let's Encrypt and ZeroSSL for redundancy. It's the first server to support this!)

This is a good thing for the ecosystem.
2 comments
yjftsjthsd-h 2050 days ago
> We're gradually making ZeroSSL a default CA for Caddy.

As in, replacing LE as the default, or supplementing it? (And if the former, why?)

link
mholt 2049 days ago
Note how I mentioned that Caddy will be the first server to support redundant ACME CAs, so we'll use both ZeroSSL, and Let's Encrypt for redundancy.
link
ptman 2049 days ago
Why ZeroSSL and not e.g. BuyPass?
link
mholt 2049 days ago
BuyPass doesn't support wildcards, and only allows up to 5 subjects per certificate (Caddy only uses 1 SAN, but still) -- and Caddy is a ZeroSSL project. We also prefer shorter cert lifetimes.
link
mehrdadn 2050 days ago
Hi! Could I ask a somewhat unrelated question about using Let's Encrypt with Caddy? I've been trying to help some folks (in education) get wildcard subdomain certificates to work on their Google Cloud machines via lego_deprecated's purported gcloud support in Caddy v2 (we've tried to follow the instructions and all), but we've been running into issues and it's been incredibly frustrating to figure out how to resolve them. I recall one of the errors we got was "No TXT record found at _acme-challenge.subdomain.domain.tld", but it was hard to see all of them because most of the errors we'd see would be rate-limit errors. Things were so much easier and everything worked in Caddy v1, but ever since we upgraded to v2, we have no idea how to make it work with gcloud (the instructions haven't gotten it working for us), and there seems to be a lack of any working examples on the internet. Do you know if anyone has had success with gcloud at all? Would you have any guidance on how to proceed? Currently they're running on expired certificates and we have no idea how to renew them via Caddy, and it's not clear to me how to even do it out-of-band either.
link
mholt 2049 days ago
To avoid Let's Encrypt rate limits, please use the staging endpoint, as documented:

- https://letsencrypt.org/docs/staging-environment/ - https://caddyserver.com/docs/automatic-https#testing

For more help, please ask on our forums! I don't use Google Cloud but it is more likely that somebody there does: https://caddy.community -- otherwise, time to roll up your sleeves and get to work, forge the answer for others, I suppose!

link
mehrdadn 2049 days ago
Okay thanks!
link