[eric_b]

For everyone here saying "Just use Let's Encrypt" - well, they've had some security issues over the last couple of years. Most recently [1]. They revoke certs and change challenges seemingly on a whim. I've had a number of fires to put out in the past 12 months because of LE.

Also, good luck using LE in a web farm type environment "easily". Given the challenge limits there's usually a fair bit of plumbing required to get multiple servers on the same domain with the same certificates. It's anything but "just works".

[1] https://www.bleepingcomputer.com/news/security/lets-encrypt-...

[mholt]

The instance you linked to wasn't a security issue, it was a compliance issue: https://news.ycombinator.com/item?id=30085948

> Head of Let’s Encrypt here. This is a compliance issue, there is no security or validation integrity risk.

[dvdkon]

It works for a whole lot of people and usecases. It's not perfect, the whole CA system is pretty terrible, but just as the site says, it's what we've got. The kinds of sites which don't have HTTPS to this day likely don't need high-availability. It's sad LE doesn't work well for your usecases, but you shouldn't dissuade people from using it in the many cases where it really does "just work".

[zaitanz]

If you have cronjobs/scheduled tasks running every day to try and renew the certificate (as recommended), then you'd not have any issues with them revoking. Any certificates that are going to be revoked will be renewed before then; this is how LE works. They gave 5 days notice, and during that 5 day period any certificates that will revoked would be renewed.

For multiple servers running the same domain, you can configure them all the same and they will get certificates fine. If required, they will get a new certificate from LE; if this is not required then LE will provide the current certificate to the server. There maybe a short time where the actual certificate on two servers maybe different, but both would still be considered valid. So there really shouldn't be any plumbing required. (edit: This is dependent on you having a sensible way to load balance them. If you're just running IP round-robin then it's going to be difficult, but that is what scp and custom routes are for).

I use LE for multiple domains, on multiple systems. Internal and external with no issue. I've even had certificates revoked by LE and it's never had any operational impact.