kiliange
Trammell HudsonWhat's the EU alternative to Let's Encrypt? I see that Actalis is in the default trust store and has an free ACME service, except that it will only do single domain certs so it won't work for my nginx proxy that handles all the TLS.
Turns out that the Actalis single domain certs *can* work for a single nginx that terminates all the TLS connections, it just requires a for-loop and configuration changes so that every server block has its own ssl_certificate and ssl_certificate_key directive. Not a drop-in replacement for Let's Encrypt, but not that much extra work.
and we are now running the v.st sites on the Italian Actalis CA instead of Let's Encrypt!
cynicalsecurity 
@th any major issues in doing so?
Leo@ALLES@cynicalsecurity @th I suppose it leaks every subdomain to the CT log, which may or may not be problematic. And perhaps they have per domain rate limits like LE?
@leoluk @cynicalsecurity we were already leaking the subdomains to the CT log and see probe attempts as soon as renewals happen, regardless of the registrar. Earlier I had a wildcard, but had automation issues with the DNS key required, so I went back to the individual subdomain keys. I really wish it were possible to get an trusted intermediate cert for your own domain so that internal CA's weren't such a pain.
@cynicalsecurity so far no issues, just some config changes (each server{} block now has its own ssl_certificate entry) and a for loop around the call to certbot instead of passing in multiple --domain parameters (so it takes a few minutes rather than a few seconds).
Eleanor Saitta@th
How are they versus Let's Encrypt as far as the actual management of the CA goes? I know it's all pretty heavily specified with a reasonable baseline these days, but I've had the impression that LE have been out in front at least a little there?
How are they versus Let's Encrypt as far as the actual management of the CA goes? I know it's all pretty heavily specified with a reasonable baseline these days, but I've had the impression that LE have been out in front at least a little there?
Blessd are the Chessemakers 🌱@th good to know!
JF 
Troed Sångberg@th Ohh thanks! I already have everything in separate server blocks so this would indeed seem to be pretty smooth to switch out.
Cay-Eric Schimanski@th I was looking for an european alternative, too. But that's also all I found (using it now for a single domain)
ZeroSSL was a former austrian product, but now bought by american company. Norwegian Buyssl stopped issuing their free SSL certificate last year.
So, yeah, anyone recommending another ACME compatible alternative?
ZeroSSL was a former austrian product, but now bought by american company. Norwegian Buyssl stopped issuing their free SSL certificate last year.
So, yeah, anyone recommending another ACME compatible alternative?
Kachelkaiser
@Kachelkaiser @th Yeah, that's actually the one mentioned allowing only single-domain ssl certificates. And seems to be the only free european product...
Thomas Steen Rasmussen@th there is none. :(
Danny Garside@th Its beyond my tech lingo but is this what you're looking for?
Jan Wildeboer 😷:krulorange: (@[email protected])
(soon a blog post) Thinking about setting up a little cooperative called #nerdcert. Where we use letsencrypt style certificate generation, renewals and distribution, with ACME support, but only for certificates that have EKU (Extended Key Usage) entries that go beyond serverAuth, the only thing Google will accept from mid next year :) Context: Thread and replies at https://social.wildeboer.net/@jwildeboer/114517884390728050
Tim Small@th hmm, OVHcloud (France) is a platinum level sponsor, so I wonder if they would be amenable to setting up an EU offshoot or independent offering? https://www.abetterinternet.org/sponsors/
ISRG might themselves be worth approaching too?
ISRG might themselves be worth approaching too?
Sponsors and Donors
Sponsors and Donors Those who make our work possible. Become a sponsor or donor Let's change the world. Or at least the Internet. A handful of organizations and a few thousand people provide 100% of our funding. Take a closer look at why they’re committed to helping ISRG build a better Internet. Diamond Level Funders Platinum Level Funders “ISRG enables developers to secure the Web at scale and helps them deliver a better experience to their users.”
@th DE sovereign tech fund also funds let's encrypt it seems? https://www.abetterinternet.org/sponsors/
Sponsors and Donors
Sponsors and Donors Those who make our work possible. Become a sponsor or donor Let's change the world. Or at least the Internet. A handful of organizations and a few thousand people provide 100% of our funding. Take a closer look at why they’re committed to helping ISRG build a better Internet. Diamond Level Funders Platinum Level Funders “ISRG enables developers to secure the Web at scale and helps them deliver a better experience to their users.”
🌈☔🌦️🍄🌱🍉
Martin Hamilton@th [stage whisper] Let's Encrypt is open source... https://github.com/letsencrypt
Perhaps the likes of Hetzner, Mythic Beasts, OVH could find a way to collaborate to offer "Sovereign LE"?
...recognising that there is inevitably a point where the conversation shifts to CA bundles, and whether root CAs like say GlobalSign are sufficiently European 
Shred
sn 🐦⬛
Thomas
Robin Bradshaw@tfb @th eIDAS is i think what the EU called it https://www.internetsociety.org/resources/doc/2021/internet-impact-brief-mandated-browser-root-certificates-in-the-eu-eidas-regulation/
phooky@th objectively this is exactly the kind of service the EU should set up...