←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 1 comments | 20 Nov 24 06:13 UTC | HN request time: 0.299s | source
Show context
selectnull ◴[20 Nov 24 08:26 UTC] No.42191822[source]
What I'm most thankful is the ACME protocol.

Does anyone remember how we renewed certificates before LE? Yeah, private keys were being sent via email as zip attachments. That was a security charade. And as far as I know, it was a norm among CAs (I remember working with several).

Thank you Let's Encrypt.

replies(6): >>42191895 #>>42191915 #>>42191936 #>>42192138 #>>42192258 #>>42194019 #
1. jillesvangurp ◴[20 Nov 24 09:22 UTC] No.42192138[source]
I still have to go through that bs with some of my setups. Load balancers in cloud environments don't tend to integrate easily with external ACME providers like letsencrypt and the internal ones require moving your domain to them which doesn't always work. And not all cloud providers even have this. Most of them seem to treat ACME as an afterthought.

You can sort of do some hacks with scripting this together via things like terraform, cron jobs, or whatever. But it gets ugly and the failure modes are that your site stops working if for whatever reason the certificates fail to renew (I've had this happen), which courtesy of really short life times for certificates is of course often.

So, I paid the wildcard certificate tax a few days ago so I don't have to break my brain over this. A couple of hundred. Makes me feel dirty but it really isn't worth days of my time to dodge this for the cost of effectively < 2 hours of my time in $. Twenty minute job to issue the csr, get the certificate and copy it over to the relevant load balancers.