Hacker News new | ask | show | jobs
by sys42590 1248 days ago
ZeroSSL left an uncanny impression on me when for some reason acme.sh developers made them default instead of Let's Encrypt. This prompted me to switch to a different client (just in case of further worsening of Let's Encrypt support by acme.sh).
3 comments
netheril96 1248 days ago
I prefer ZeroSSL to Let's Encrypt. ZeroSSL has no rate limit, and most importantly they have full ECC support. With Let's Encrypt, even if I request for an ECC cert, the intermediate CA is still RSA, drastically increasing the certificate size (they have their reasons of compatibility, but I don't care about that).
link
Ayesh 1248 days ago
LetsEncrypt now has an ECC root and intermediates. You have to request the account ID to be included, and after which, the intermediate and root certificates will be ECC. More information here: https://community.letsencrypt.org/t/ecdsa-availability-in-pr...
link
netheril96 1248 days ago
The alternative you suggest has a longer chain of certificates, and more difficult setup. Using ZeroSSL is way easier with less bytes on the TLS handshake.
link
Ayesh 1248 days ago
Do you have a test host with the Zerossl chain that you speak of? Use https://aye.sh if you want to try a host using the ECC chain from LE.
link
netheril96 1248 days ago
So the article is outdated I guess. The length of the chain is the same now.

I'll consider switching back to Let's Encrypt once this setup doesn't require a whitelist.

link
dilyevsky 1248 days ago
I believe zerossl chain (really sectigo) is trusted by more devices than the new isrg root (mostly old unupdated ones). Also zerossl has fewer limits in their acme implementation. Downsides are zerossl has some questionable security practices and also I think zerossl either dont support tls-alpn-01 validation or it’s just broken
link
leetnewb 1248 days ago
Which client did you end up on? The list is somewhat overwhelming.
link
Ennea 1248 days ago
Going to throw another hat into the ring here: I use acme-tiny [1], which is a single file ACME client written in Python in under 200 lines. The idea behind it is that you can fully read and understand everything it does without spending too much time on it. I really like this approach, so I went ahead and started using it, and have been for a few years now.

[1] https://github.com/diafygi/acme-tiny

link
seized 1248 days ago
I too am moving away from acme.sh for the same reason. Dehydrated looks nice but I started using goacme.

https://github.com/go-acme/lego

I wasn't set on only bash though.

link
sys42590 1248 days ago
dehydrated, as it has little dependencies.
link