It feels like just yesterday I was paying for certs, or worst, just running without.
Can't believe its been ten years.
replies(1):
Can't believe its been ten years.
The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.
You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.
Framing people with legitimate issues as weirdo’s is not as charming as you think it is.
However, if you already have bought a domain name, the cost of setting up TLS is basically 0. You just run certbot and give it the domains you want to license. It will set up auto-renew and even edit your Apache/NGINX configs to enable TLS.
Sure, TLS standards rotate. But that just means you have to update Apache/NGINX every like 5 years. Hardly a barrier for most people imo.
certbot is a python program, better hope it keeps working- it’s definitely not kept working for me and I’m a seasoned sysadmin. a combination of my python environment becoming outdated (making updates impossible) and a deprecation of a critical API needed for it to work.
The #1 cause of issues with a hobby website: darkscience.net is that it refuses to negotiate on Chrome because the TLS suites are considered too old, yet in 2020 I was scoring A+ on Qualys SSL report.
Its just time, time and effort and its wasted mostly.
The letsencrypt tools are really wonderful, just pray they don’t break, and be ready to reinstall everything from scratch at some point.
certbot is not even close to the pinnacle of easy TLS setup. Using an HTTP server that fully integrates ACME and tls-alpn-01 is much nicer: tell your server what domain you use, and it automatically obtains a certificate.
There is also https://github.com/srvrco/getssl which is a bash script. I have lightly audited it years ago and it did not seem to upload your private keys anywhere... I've used it occasionally, but I don't let it run as root, so I need to copy the retrieved certs into the the server config manually.
Larger point is regarding the fact that its required for what amounts to a poster on a wall: yes, someone can come along with a pen an alter the poster- but its not worth the effort to secure for most people and will degrade rapidly with such security too.
So, instead they turn to middlemen, or don’t bother.
Theres a myriad of other issues, but, its not as easy as we claim.
You could try out acme.sh that's written purely in shell. It's extremely capable and supports DNS challenge and multiple providers