←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
491 points gslin | 5 comments | 20 Nov 24 06:13 UTC | HN request time: 0.801s | source
Show context
mrtksn ◴[20 Nov 24 07:49 UTC] No.42191644[source]
Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

replies(5): >>42191676 #>>42192385 #>>42192827 #>>42192905 #>>42193198 #
dachris ◴[20 Nov 24 07:55 UTC] No.42191676[source]
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
replies(7): >>42191711 #>>42191799 #>>42191800 #>>42191829 #>>42191872 #>>42191976 #>>42192618 #
technion ◴[20 Nov 24 08:36 UTC] No.42191872[source]
I deal with multiple enterprise applications where idea of scripting a renewal involves playing with scripting headless Chrome.

I'm really not a fan of it but I'm happier paying for a one year cert than doing that

replies(1): >>42191950 #
1. yurishimo ◴[20 Nov 24 08:48 UTC] No.42191950[source]
Sorry if this is a dumb question, but why? If I'm not mistaken, Let's Encrypt supports validation via DNS now so you don't even need to have a working webserver to issue a certificate. Automating a script to perform a renewal should be much simpler than headless Chrome!

If your DNS provider doesn't have an API, that seems like a separate issue but one that is well worth your organization's time if you're working in the enterprise!

replies(3): >>42191989 #>>42192076 #>>42192621 #
2. patrakov ◴[20 Nov 24 08:56 UTC] No.42191989[source]
I guess it is not about renewal but about certificate deployment.
3. blipvert ◴[20 Nov 24 09:12 UTC] No.42192076[source]
You can set up the _acme-challenge (or whatever it is)as a CNAME to point to a domain which does support an API for automating the renewal

(looking in to setting this up for a bunch of domains at work)

4. technion ◴[20 Nov 24 10:42 UTC] No.42192621[source]
Obtaining a certificate via dns doesn't help you install it via a Web interface that takes 20+ clicks and a 15 minute reboot to apply .
replies(1): >>42192850 #
5. pastage ◴[20 Nov 24 11:25 UTC] No.42192850[source]
And open a ticket on a suppliers website, click through four pages with free text input, then send certificate via email.

Lets not talk about key delivery. We will get back the admin cost and of all that in a year if we tunnel them through one of our LBs.