Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt Takes Free “Wildcard” Certificates Live

posted by cmn32480 on Wednesday March 14 2018, @02:16PM   Printer-friendly
from the simple-cypers dept.

An Anonymous Coward writes:

Arstechnica reports

In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.

[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt Takes Free “Wildcard” Certificates Live | Log In/Create an Account | Top | 75 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by urza9814 on Wednesday March 14 2018, @04:49PM (3 children)

    by urza9814 (3954) on Wednesday March 14 2018, @04:49PM (#652489) Journal

    Seriously. I *really* could have used this about a year ago, but now I've invested quite a lot of time into building a system to work around the requirement to validate each individual subdomain.

    I've got different certs on each VM, but all the VMs are behind one IP address...so some reverse proxy and NAT strangeness lets me twist that service just right so I can have one server generate all the certs (and that's all it does...no web server, no open ports) which then copies the validation files to my web servers. My domains all point to that one IP, and anything hitting port 80 gets redirected to that domain's web server VM which serves the validation files. Then the certs get generated and copied out to whatever server actually needs them. Which was a huge pain to set up, but now I'm not redoing that crap until one of these scripts breaks...

    Of course, that was still easier to set up than the ONE domain that I actually manage the way LE expects you to. I've got one site hosted on Gandi.net, and there's a plugin for the official certbot which lets you generate certs for their infrastructure...but EVERY SINGLE TIME I generate that cert I have to reinstall and reconfigure that plugin first for some reason...

    LE is a huge PITA to use...but it still beats spending a couple hundred bucks for a paid cert. And adding wildcard certs should make it far easier at least in terms of the issues I usually have in my (admittedly non-standard) use case...

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by richtopia on Wednesday March 14 2018, @05:47PM

    by richtopia (3160) on Wednesday March 14 2018, @05:47PM (#652518) Homepage Journal

    My situation is similar as I self-host a number of services in my house, so one IP and reverse proxy to direct traffic. I never implemented HTTPS as my website is just static content, but I probably will setup a wildcard certificate now that they exist. I think it will be particularly nice for firing up new web services in a separate docker container for demonstration purposes that isn't intended for production.

  • (Score: 2) by bob_super on Wednesday March 14 2018, @06:45PM (1 child)

    by bob_super (1357) on Wednesday March 14 2018, @06:45PM (#652541)

    > LE is a huge PITA to use...but it still beats spending a couple hundred bucks for a paid cert.

    How many hours of extra work qualify as "a huge PITA" ?
    Just wondering about diminishing returns.

    • (Score: 2) by urza9814 on Wednesday March 14 2018, @07:12PM

      by urza9814 (3954) on Wednesday March 14 2018, @07:12PM (#652549) Journal

      How many hours of extra work qualify as "a huge PITA" ?

      For me I'd say it was somewhere around 20 (maybe 30?) at a rate of about 5 hours every three months, to get it as fully automated as possible. Usually every time I renew there's some minor issue, but I always manage to fix it in a day after work, so doesn't take all that long. But I think that's probably worse than average -- I'm registering certs for domains that aren't even accessible outside my network, so I have to put in extra effort to get LE to successfully validate those domains. And since it's designed to be automated, it's faster every time you do it as you work out the issues in your automation scripts and as bugs get patched in certbot and other related utilities, so the "cost" will fall over time. If they'd had wildcard certs from the start it probably would have been much faster for me too.

      A basic wildcard cert starts around $150/year, or $15/year/domain, and that would not be entirely pain-free either. I wouldn't say that LE is *always* better than the commercial certs, but I think it's definitely competitive, and can offer significant savings in the right circumstances.