Another free CA as an alternative to Let's Encrypt

&gt; <i>I&#x27;m using the acme.sh client but the process will be similar no matter which client you choose to use.</i><p>Always nice to see some variety in clients along side the official Let&#x27;s Encrypt one.<p>While we do use the official Python-based client at works at times, whenever I install it via <i>apt</i>, and it pulls in a whole bunch of dependencies, it&#x27;s a bit disconcerting to me.<p>I&#x27;m a bit partial to <i>dehydrated</i>, which is a shell script (works under Bash and Zsh): I find it a lot easier to understand. It&#x27;s handy to put on Linux&#x2F;POSIX-based appliances like F5s, where the only prerequisites are Bash, cURL, and OpenSSL (and standard Unix tools like sed, grep, <i>etc</i>):<p>* <a href="https:&#x2F;&#x2F;devcentral.f5.com&#x2F;s&#x2F;articles&#x2F;lets-encrypt-on-a-big-ip" rel="nofollow">https:&#x2F;&#x2F;devcentral.f5.com&#x2F;s&#x2F;articles&#x2F;lets-encrypt-on-a-big-i...</a><p>* <a href="https:&#x2F;&#x2F;github.com&#x2F;EquateTechnologies&#x2F;dehydrated-bigip-ansible" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;EquateTechnologies&#x2F;dehydrated-bigip-ansib...</a>

Can this one provide wildcard certificates without having to update DNS entries every three months?<p>That is the one pain point I have with Let&#x27;s Encrypt.<p>PS: Yes, you can automate the DNS updates. That <i>is</i> the paintpoint I am talking about. It is one more moving part. One more dependency on a third party. One more thing to set up. One more thing that can break. One more thing that will rot (APIs always change at some point in time).<p>Many people seem to solve the &quot;automate DNS&quot; by putting their DNS credentials on the server which serves their website. This is the worst thing from a security perspective. Now someone who breaks into your application can take over your DNS, point your domain to wherever they like <i>and</i> get any certificate for it they like. This probably enables them to also overtake your email and then escalate further from there.

I&#x27;d like to see a free CA for S&#x2F;MIME certificates once again.<p>Since more than a year or two, all the free S&#x2F;MIME certificates that you can get these days have issues:<p>- some of them a valid less than one year which is a huge hassle for S&#x2F;MIME as opposed to HTTPS because you need to keep all your old certificates around<p>- some of them will not let you use your own private key (I wish i was kidding)

The screen shot recommends short passwords with one each of upper&#x2F;lower&#x2F;numeric&#x2F;special characters. This policy has never been good. I find it discouraging from a company offering security-related services.<p><a href="https:&#x2F;&#x2F;scotthelme.co.uk&#x2F;content&#x2F;images&#x2F;2021&#x2F;08&#x2F;image-3.png" rel="nofollow">https:&#x2F;&#x2F;scotthelme.co.uk&#x2F;content&#x2F;images&#x2F;2021&#x2F;08&#x2F;image-3.png</a>

Just curious... has anyone so far decided to extend the 3-month certificate expiration deadline? I understand that for the intended use case it makes sense, but in some cases it&#x27;s an overkill and having a CA support such use case could be useful. There&#x27;s nothing in the technology itself that prevents us from having certs that expire in, say, a year, right?

The author said, he randomizes between the 4 free-of-charge SSL provides because of availability and reliability.<p>What me would interest, if it would be possible cross-sign the certificates by all of those 4 and automate this?

More interesting to me will be when one of the ACME CAs will implement RFC 8657, ACME-specific CAA parameters.<p>Currently privilege separation on a server or a TLS terminator doesn&#x27;t do much for ACME privileges because an exploit anywhere on the request path can use an arbitrary account to obtain new certs.<p>Binding to a single ACME account in DNS (accounturi=…) would significantly reduce the attack surface, as would requiring non-http validation methods.

Do I understand correctly that this event also means that ssl.com is the first CA to offer free ECC certificates to the general public?

It&#x27; great to have alternatives although I need nothing more than what Let&#x27;s Encrypt offers.<p>PS, do you think there is a chance for a similar service to be available in the future, but for EXE file signing ;)

Caddy[0] also uses ZeroSSL[1] alongside Let’s Encrypt.<p>[0] <a href="https:&#x2F;&#x2F;caddyserver.com&#x2F;docs&#x2F;automatic-https#overview" rel="nofollow">https:&#x2F;&#x2F;caddyserver.com&#x2F;docs&#x2F;automatic-https#overview</a><p>[1] <a href="https:&#x2F;&#x2F;zerossl.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;zerossl.com&#x2F;</a>

Do any free TLS LE alternatives handle AWS&#x2F;GCP&#x2F;Azure domains? It&#x27;s been a frustrating usability blocker on tools like Caddy to have a few of the most popular domains singled out, so been curious..

I like the use of the shuf command to randomize the list, very nice!

Is there any free CA that supports signing on an IP address? e.g. <a href="https:&#x2F;&#x2F;1.1.1.1&#x2F;" rel="nofollow">https:&#x2F;&#x2F;1.1.1.1&#x2F;</a>

Is there any free CA supporting intermediate&#x2F;sub certificates?<p>This is what I would really be looking for in an alternative to Let&#x27;s Encrypt.

ssl.com &quot;First, register for a free account. Next, you need to get your API credentials&quot;<p>yeah, pass

Great to have more choice in the free certificate market

Nice, thanks for the creator for making this!

Comments like these are always amusing after the latest HN &quot;why you don&#x27;t need Kubernetes&quot; post - setting up cert-manager is a 5 minute affair.