Ryan Bolger@tdr BuyPass is a CA offering free certs via ACME (#rfc8555) and is a Norwegian company I believe.
https://www.buypass.com/
https://www.buypass.com/
@jdw 6-day certs from LE will be opt-in and require explicit client support for a new extension to the ACME protocol ( #RFC8555 ) that is still in draft status. More discussion here. https://community.letsencrypt.org/t/6-day-certificates-pinch-me-im-dreaming/230395
6 day certificates!? Pinch me I'm dreaming
Re: This was probably already discussed and I missed it. But, this is exciting! Do we know if the standard ACME way of clamping cert lifetimes (NotBefore / NotAfter) will be utilized? How will revocation (CRLs, namely, since LE is discontinuing OCSP) policies relate to these short lived certs?
@postmodern I use a real domain namespace I own so can easily get globally trusted certs with no additional infrastructure via ACME (#rfc8555).
@art_codesmith Technically it does. An account is required in order to send messages using the ACME protocol (#rfc8555). But an account is just its own key pair and most clients create it for you the first time you get a cert. That doesn’t make it any less awesome though!
@[email protected] Never dealt with Dreamhost or Linode hosting, but I don't see how you can call #LetsEncrypt anything but an incredibly open and publicly beneficial org. Start with the open #RFC8555 (ACME) protocol they pioneered which enables us to get certificates for free from 5 (so far) diff public CAs. Their ACME server, Boulder, is open source on Github. Devs and leadership regularly comment on their public forums about process and policy. How is any of that closed or "internal"?
@blog_reloaded Wouldn’t using certificate automation via ACME #rfc8555 be beneficial in a disaster? Let’s Encrypt is not the only ACME CA offering free wildcard certificates. You might also find the reason you’re resorting to a wildcard cert is because you lack cert automation.
@andyattebery @Paco @pmevzek Cached validations are not technically part of the #rfc8555 protocol though. Just an implementation quirk on some CAs that may go away eventually. Let’s Encrypt currently caches validations for 30 days but has stated they’ll likely drop that down to 10 days or even remove it entirely long term.
@kkarhan @drwho @cacert @letsencrypt Respectfully, I disagree. Recommending certbot as the default non-Windows client is just fine for most people. It’s by far the most popular and well maintained standalone client that exists. Plenty of folks who have snap hatred also install it manually via pip. But if you don’t like it, that’s why other clients exist. The #rfc8555 ACME protocol is also widely open if you wanted to write your own client.
@christophe While better than nothing, those IP certs can’t be obtained via ACME #rfc8555. You must use ZeroSSL’s proprietary API which means your client choice is extremely limited. The free tier through the API is also extremely limited IIRC.
@beepcheck @governa I don’t particularly like that article because it mixes actual CAs with hosting providers and CDNs who may have a cert offering you can only use with their services. Also, any CA that doesn’t support ACME #rfc8555 in 2023 is a non-starter for me. Here’s a better comparison of actually free ACME supporting CAs and their associated limitations. https://poshac.me/docs/v4/Guides/ACME-CA-Comparison/
