AWS announces "Certificate Manager" similar to LE


#1

Looks similar to LE in that certs are free. Some differences:

  • supports wildcard certs
  • appears to auto renew with no additional automation
  • supports SAN but only 10 names per cert (LE supports 100)
  • only usable by AWS services, can’t use them elsewhere

https://aws.amazon.com/certificate-manager/faqs/

http://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html


#2

Good news. Let me check it.

No ECC support:

Q: Does ACM support elliptic curve (ECDSA) certificates?

Not at this time.


#3

The more opportunities people have to secure connections, the better. It’s awesome on Amazon to offer this to their customers.


#4

I don’t disagree, but I think I’d rather have seen them add their name to the list of large corporations supporting the ISRG, rather than do their own thing that is less open and more proprietary. AWS has over 1M customers now, and it will be sad to see those folks using ACM when LE might be a better tool for their use case, simply because they were only aware of ACM due to being an AWS customer and getting the marketing piece.


#5

yes, I think if we went through the features we’d find quite a few differences. It also seems that the service limits/throttles for LE are much less restrictive than ACM:

However, they do say:

If you need to exceed the following limits, please visit the AWS Support Center and create a case.

http://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html


#6

as an update:

I used this today. They are using email for the domain validation, and pulling the email addresses from the WHOIS record. That means, unless you are living in 2001 and don’t have WHOIS privacy turned on, they can’t get to the emails to send to the registrant/admin/tech/billing contact of record.

check this out: http://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html

They do have the option to send to some alternate emails, but its very weird/awkward compared to LE

Also, if you want to request a cert for domain.com and www.domain.com, they will actually do a whois and send emails to the @www.domain.com

you can work around this issue via the CLI or SDKs, but its half baked as is the norm w AWS.


#7

And it’s currently only supported in US East (N. Virginia) region. For sure they will push it to the other regions too, but I’m not sure when. It’s a bit weird though that you can only use the certificate for a specific region and not across all regions :slightly_smiling:


#8

But you can use LE with “every” software.
By the way: Cloudflare also auto-issues certificates for your domain when you CDN-host them via their infrastructure (already available in the free plan)


#9

Technically speaking, they don’t “auto-issue” the certificates. They use Comodo ECC certificates and they bundle as much as alternate names they can in a single certificate.

In other words, they are not a CA like Let’s Encrypt or Amazon.


#10

@grEvenX, yeah its half baked. They do this all the time to rush to announce things at re:invent. elastic file system only works on Linux, NAT gateway doesn’t have cloudformation support, they simply have no standard for what generally available products should look like. I think their SDLC Is something like:

  • dev
  • release half baked
  • wait for one of their big customers to ask about it/use it a little
  • have big customer roll up with big trucks full of money
  • finish it

#11

@s3lf yes, I agree that LE seems to be more flexible/open.

If we’re being fair/objective though…the one thing that ACE has that nobody else has is zero touch renewal/install with no extra scripting or automation on the user’s end. So, once you get your cert and install it on ELB (or cloudfront distribution), you never have to touch it:

http://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html

By default, ACM automatically renews ACM Certificates that are being used by other AWS services, such as Elastic Load Balancing and CloudFront. Managed renewal makes configuring and maintaining SSL/TLS for a secure website or application easier and less error prone than manual renewal processes. Managed renewal can help you avoid downtime due to misconfigured, revoked, or expired certificates. Further, managed renewal doesn’t require you to install or maintain a software client or agent on your website. Instead, because ACM is integrated with other AWS services, you can centrally manage and deploy ACM Certificates on the AWS platform from the console, AWS CLI, or API of the integrated service. For a list of supported services, see Services Integrated with AWS Certificate Manager.

ACM attempts to perform automatic renewals on all ACM Certificates before they expire. If ACM is unable to do so, it falls back on alternate renewal methods such as sending validation email to domain registrants. Certificates that can be renewed automatically include those that are being used by AWS resources on a publicly accessible site. This includes certificates for bare domains such as example.com.


#12

At least there is a friendly gui for it… hope LE get their shit together and release some type of gui or interface plugins with systems such as WHM that make this whole process easier… im at my wits with LE.


#13

The letsencrypt python module provides a full API for handling requests (without relying on the cli tool), or there are several different SDKs for various languages implementing ACME that should work just fine.

Keep in mind LE just entered public beta recently and some companies will wait for stable release or even longer before starting to move, no matter how much support is shoved their way.


#14

Exactly, THIS. I don’t live in UNIX and LE is still not a seamless error-free process by any stretch.

All I know is that I’ve been waiting for LE to go live (even in beta) for months. Even after, I still couldn’t easily get a certificate setup and in place without devoting a significant chunk of time to deciphering everything.

With AWS Certificate Manager, I clicked a few buttons and within 20 minutes had a new cert that was ready to install to my Elastic Beanstalk app. Is it perfect or ultimately mass-scalable? Maybe not, but for this minute, it’s insanely easier than LE.


#15

@centerlinescores to be fair, there’s a major difference here. ACM is a CA deployed as a specific feature of the existing AWS infrastructure. Therefore, I would be really surprised if Amazon would have not provided a one-click way to enable and deploy it.

Conversely, LE doesn’t target a specific service or implementation. The goal is larger, and more challenging. LE it’s essentially a (forgive me the name) Certificate Authority as a Service (CAAAS). It is responsibility of the various services that will rely on LE to properly integrate LE so that the feature will be easy to use.

Of course, LE is also working to facilitate the integration in several areas, such as for system administrators that wants to integrate it directly in their systems via the official client.

To be even more clear, let me tell you a practical example. Among all the various services I use, I’m a customer of Dreamhost. They recently deployed a LE integration which is insanely simple, a one-click checkbox, and you can deploy a LE certificate on a hosted domain. That’s an example of how a provider properly integrated LE into their infrastructure, which is exactly that Amazon did with their internal own CA.

Because each service has its own needs/architectures, it will never be possible for LE to cover all the cases.

At least, this is my point of view. But I can be totally wrong. :slightly_smiling:


#16

I never got the sense that LE was intended to cater to GUI crowd in the near term. Its intended to be automated with tools you build yourself. It’s not really fair to suggest that LE do not have their shit together, when a GUI was never their goal.

Anyway, there is this project that might be what you are looking for (a web client for LE)

https://gethttpsforfree.com/

you can search for ‘gethttpsforfree’ here on the forums to get more info about it or contact @diafygi who is the developer.

Hope this helps.

Also, there are TONS of LE client projects out there that would be easy to build a GUI app from:


#17

@centerlinescores check out the list of official clients, there are several windows options (or frameworks that work on WIndows) listed there.

letsencrypt-win-simple: https://github.com/Lone-Coder/letsencrypt-win-simple
Windows (.net) client: https://github.com/oocx/acme.net

complete list:


#18

Let’s encrypt is great but they have done 3 things that make it suboptimal for many applications

  1. they don’t support wildcard certs. Not sure there is any way around this givien the way it does validation
  2. Certs expire in 3 months. I still think this was/is a huge policy mistake, they should allow much longer terms, at least 1 year
  3. MOST IMPORTANT: They still do not fully support aws. LE is now out of beta but when you run it on Amazon Linux you still get this message: "WARNING: Amazon Linux support is very experimental at present…
    if you would like to work on improving it, please ensure you have backups
    and then run this script again with the --debug flag!"
    Installing on amazon linux is also still non trivial. I feel like they have deliberately omitted amazon linux support, likely because of a fight caused by aws creating their own service. People running amazon linux aren’t going run software for each of their certs every three months when that software claims it might destroy their setup.

#19

There are many clients that run just fine on Amazon Linux. Certbot is open source, so anyone is free to submit a patch that fixes all remaining issues so the experimental flag can be removed. According to various statistics, Ubuntu is the most commonly used OS even on AWS, and certbot runs just fine on that. On top of that, there are a number of clients that were made specifically for AWS (Certbot even mentions a plugin for CloudFront in their documentation).

Then there’s also the fact that client development (for certbot) is now being done under the umbrella of a different organization (the EFF, not ISRG).

I’m not sure why you think there would be any kind of fight. AWS is making TLS deployment easier for their customers, which can only be a good thing for TLS adoption, and from everything we know so far, Amazon is doing a great job at running their CA. This is exactly what Let’s Encrypt set out to do, and the fact that more and more companies and CAs are now making things easier, cheaper (or free) and more automated is a success story for Let’s Encrypt, not something to fight about.


#20

Thanks for the reply. I guess we all live in our own sub tech universes but I just always imagined Amazon linux being near the top of the priority list for a project like this. I thought this project was the greatest idea ever when I first heard about it last fall and still think so, I’ve just been frustrated waiting for full support for my servers. I still use it and it hasn’t done any damage yet, but every time there is a software update and I still get that warning message I get nervous running it for the next renewals. That fact that Amazon with their expansive resources haven’t contributed this patch still leads me to believe even if LE doesn’t see this as a fight AWS just might.