ACMEv2 and Wildcard Launch Delay


#27

I can’t wait to use it!


#28

If it works as well as your current implementation, then we’re all real excited about it over at our office. Take the time you need :slight_smile:


#29

Thanks for the transparency; I would rather wait for a fully functional update versus a defective one just to hit a date.


#30

If aren’t any security issue, I would prefer a beta version ACMEv2 with fully valid certificates, that break sometimes, that this delay.

Lots of companies are waiting for this, since Letsencrypt announce 8 months ago, then delay too February, and now without a date.


#31

I feel your frustration. We have several wildcard certs that are critical to our business that are unfortunately supplied by the Symantec CA which is going to be untrusted by Chrome 66 beta in March, and because this release was coming well before that timeline I felt I could wait to renew them for this V2 release, and move everything over to LetsEncrypt.

On the other hand, they’re offering a service here that others are charging hundreds of dollars a year for, and I really appreciate this effort as a technology professional.

Good luck, guys!


#32

Can anyone confirm for me that once it is available the endpoint URL will be https://acme-v02.api.letsencrypt.org/directory
If not, what will it be?
Thanks, and I hope it’s not delayed too long… been anxiously waiting since this was announced last year! I understand a failed launch would be much worse than a delayed launch though.


#33

A security issue in any Let’s Encrypt issuance frontend wouldn’t just affect Let’s Encrypt’s current or future subscribers, it would affect the entire Internet. :earth_africa:

A decade of trust in all kinds of devices and software is not easily obtained, but it is very easily broken. The Let’s Encrypt staff cannot ever launch anything connected to a real intermediate certificate without the highest degree of vetting.

It’s a lot of work, and no one is more excited to launch this than them! If you’re frustrated then imagine how they must feel. :disappointed_relieved:


#34

Personally, I prefer to be able to have valid certs from staging env taking possible pre-release risks to my responsibility. The can be extremely short-term, lets say 1 week will work :slight_smile:

Of course, that should not be used on production, but there is so many other applications where valid certs are important but their production-grade is not necessary


#35

I think the biggest reason for not doing this is that even issuing short-lived certificates with improper validation will invite ire from Internet users and browsers, so it’s a risk to a CA to launch something before it’s entirely confident that it’s ready even with such a restriction. Browsers are able to entirely remove trust from certificate authorities that make severe mistakes, especially if those mistakes can be attributed to negligence or recklessness.

A related minor inconvenience would be that Certbot (and probably some other ACME clients) renews when a certificate is less than 30 days from expiry (not less than 1/3 of the certificate’s lifetime from expiry). Thus, if this were implemented with a 10-day certificate lifetime, Certbot would always try to renew every such certificate immediately upon the next certbot renew command, which would quickly hit the rate limits. :slight_smile: That suggests that changing the certificate lifetime for any purpose requires more coordination with client development around renewal policies.


#36

Would it be a good idea to put a statement on the homepage, now that the original launch date has passed?


#37

Or Twitter, or the blog, or something else. Anything public. This post on this forum is not easy to find.


#38

Please take your time to do QA. Don’t rush it :wink:


#39

Hi, i can understand that quality is an big point. But In this thread there is no pain point mentioned that cause the delay or need to be fixed before the roll out. It is only mentioned that the TLS-SNI caused heavy work. I think most of this work was communication and technically switch of TLS-SNI and enable it for some selected hosting partners. So an new Release Date and an list of open points that could be tracked would be nice.


#40

3 posts were split to a new topic: Wildcard names incomplete?


#42

A post was merged into an existing topic: Wildcard names incomplete?


#43

A post was split to a new topic: ACMEv2 Endpoint URL


#44

Can you give a time frame, for example about the next week will be launched, or the second half of the month will be launched


#45

Sorry I have to agree with @stba. on this one.

Nobody here is denying the fact Lets-Encrypt is doing a great job by providing free certificates and keeping our sites secure. But people do have some exceptions from them like any other provider.

The delays happens in IT world, lot of good things get delayed for better quality finished products and most of us will not mind this delay. It just that it wasn’t communicated properly. Like @stba, I have to go through many links to figure out this delay. Like a week ago, I was talking to many customers and advising them not to buy wildcard certificates as Lets Encrypt will gonna provide them soon. Now I don’t have any answer. A simple update on homepage or may be twitter feed would have done the job. So I will say poor project management.


#46

I am very grateful for the work you have done. You are changing the internet!


#47

Hear, hear!

Whatever inconveniences may have arisen from the setback regarding the new API’s production deployment PALE in comparison to the value that we have all gotten—for free!—from the great work this organization has done.