I don’t disagree, but I think I’d rather have seen them add their name to the list of large corporations supporting the ISRG, rather than do their own thing that is less open and more proprietary. AWS has over 1M customers now, and it will be sad to see those folks using ACM when LE might be a better tool for their use case, simply because they were only aware of ACM due to being an AWS customer and getting the marketing piece.
I used this today. They are using email for the domain validation, and pulling the email addresses from the WHOIS record. That means, unless you are living in 2001 and don’t have WHOIS privacy turned on, they can’t get to the emails to send to the registrant/admin/tech/billing contact of record.
And it’s currently only supported in US East (N. Virginia) region. For sure they will push it to the other regions too, but I’m not sure when. It’s a bit weird though that you can only use the certificate for a specific region and not across all regions
@grEvenX, yeah its half baked. They do this all the time to rush to announce things at re:invent. elastic file system only works on Linux, NAT gateway doesn’t have cloudformation support, they simply have no standard for what generally available products should look like. I think their SDLC Is something like:
release half baked
wait for one of their big customers to ask about it/use it a little
have big customer roll up with big trucks full of money
@s3lf yes, I agree that LE seems to be more flexible/open.
If we’re being fair/objective though…the one thing that ACE has that nobody else has is zero touch renewal/install with no extra scripting or automation on the user’s end. So, once you get your cert and install it on ELB (or cloudfront distribution), you never have to touch it:
By default, ACM automatically renews ACM Certificates that are being used by other AWS services, such as Elastic Load Balancing and CloudFront. Managed renewal makes configuring and maintaining SSL/TLS for a secure website or application easier and less error prone than manual renewal processes. Managed renewal can help you avoid downtime due to misconfigured, revoked, or expired certificates. Further, managed renewal doesn’t require you to install or maintain a software client or agent on your website. Instead, because ACM is integrated with other AWS services, you can centrally manage and deploy ACM Certificates on the AWS platform from the console, AWS CLI, or API of the integrated service. For a list of supported services, see Services Integrated with AWS Certificate Manager.
ACM attempts to perform automatic renewals on all ACM Certificates before they expire. If ACM is unable to do so, it falls back on alternate renewal methods such as sending validation email to domain registrants. Certificates that can be renewed automatically include those that are being used by AWS resources on a publicly accessible site. This includes certificates for bare domains such as example.com.
At least there is a friendly gui for it… hope LE get their shit together and release some type of gui or interface plugins with systems such as WHM that make this whole process easier… im at my wits with LE.
The letsencrypt python module provides a full API for handling requests (without relying on the cli tool), or there are several different SDKs for various languages implementing ACME that should work just fine.
Keep in mind LE just entered public beta recently and some companies will wait for stable release or even longer before starting to move, no matter how much support is shoved their way.
Exactly, THIS. I don’t live in UNIX and LE is still not a seamless error-free process by any stretch.
All I know is that I’ve been waiting for LE to go live (even in beta) for months. Even after, I still couldn’t easily get a certificate setup and in place without devoting a significant chunk of time to deciphering everything.
With AWS Certificate Manager, I clicked a few buttons and within 20 minutes had a new cert that was ready to install to my Elastic Beanstalk app. Is it perfect or ultimately mass-scalable? Maybe not, but for this minute, it’s insanely easier than LE.
@centerlinescores to be fair, there’s a major difference here. ACM is a CA deployed as a specific feature of the existing AWS infrastructure. Therefore, I would be really surprised if Amazon would have not provided a one-click way to enable and deploy it.
Conversely, LE doesn’t target a specific service or implementation. The goal is larger, and more challenging. LE it’s essentially a (forgive me the name) Certificate Authority as a Service (CAAAS). It is responsibility of the various services that will rely on LE to properly integrate LE so that the feature will be easy to use.
Of course, LE is also working to facilitate the integration in several areas, such as for system administrators that wants to integrate it directly in their systems via the official client.
To be even more clear, let me tell you a practical example. Among all the various services I use, I’m a customer of Dreamhost. They recently deployed a LE integration which is insanely simple, a one-click checkbox, and you can deploy a LE certificate on a hosted domain. That’s an example of how a provider properly integrated LE into their infrastructure, which is exactly that Amazon did with their internal own CA.
Because each service has its own needs/architectures, it will never be possible for LE to cover all the cases.
At least, this is my point of view. But I can be totally wrong.
I never got the sense that LE was intended to cater to GUI crowd in the near term. Its intended to be automated with tools you build yourself. It’s not really fair to suggest that LE do not have their shit together, when a GUI was never their goal.
Anyway, there is this project that might be what you are looking for (a web client for LE)
Let’s encrypt is great but they have done 3 things that make it suboptimal for many applications
they don’t support wildcard certs. Not sure there is any way around this givien the way it does validation
Certs expire in 3 months. I still think this was/is a huge policy mistake, they should allow much longer terms, at least 1 year
MOST IMPORTANT: They still do not fully support aws. LE is now out of beta but when you run it on Amazon Linux you still get this message: "WARNING: Amazon Linux support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!"
Installing on amazon linux is also still non trivial. I feel like they have deliberately omitted amazon linux support, likely because of a fight caused by aws creating their own service. People running amazon linux aren’t going run software for each of their certs every three months when that software claims it might destroy their setup.
There are many clients that run just fine on Amazon Linux. Certbot is open source, so anyone is free to submit a patch that fixes all remaining issues so the experimental flag can be removed. According to various statistics, Ubuntu is the most commonly used OS even on AWS, and certbot runs just fine on that. On top of that, there are a number of clients that were made specifically for AWS (Certbot even mentions a plugin for CloudFront in their documentation).
Then there's also the fact that client development (for certbot) is now being done under the umbrella of a different organization (the EFF, not ISRG).
I'm not sure why you think there would be any kind of fight. AWS is making TLS deployment easier for their customers, which can only be a good thing for TLS adoption, and from everything we know so far, Amazon is doing a great job at running their CA. This is exactly what Let's Encrypt set out to do, and the fact that more and more companies and CAs are now making things easier, cheaper (or free) and more automated is a success story for Let's Encrypt, not something to fight about.
Thanks for the reply. I guess we all live in our own sub tech universes but I just always imagined Amazon linux being near the top of the priority list for a project like this. I thought this project was the greatest idea ever when I first heard about it last fall and still think so, I’ve just been frustrated waiting for full support for my servers. I still use it and it hasn’t done any damage yet, but every time there is a software update and I still get that warning message I get nervous running it for the next renewals. That fact that Amazon with their expansive resources haven’t contributed this patch still leads me to believe even if LE doesn’t see this as a fight AWS just might.