Let's Encrypt agents for long-term certificates. Any potential interest?

I really like to have one too to solve a problem and I like the automation provided by LE agents. What I hear occasionally is that you need to purchase non-Let’s Encrypt certs for some domains - for one reason or another.

The question is if this occasional whispers are more than … whispers.

Edit: removed details to keep the question generic.

Thoughts anyone?

Edit: some agents seem to allow changing the ACME server URL (e.g., certbot has a cmd line switch for that). The main integration difference seems to be the path to challenges (LE v other CAs), e.g., - acme-challenge v e.g., pki-validation

Dan

1 Like

Those CAs that offer long-term certificates have already begun offering them via ACME in a way that’s compatible with Let’s Encrypt agents like Certbot: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment#CAs_&_PKIs_that_offer_ACME_certificates

I think it’s mostly reserved in their enterprise products for now, but I imagine they’ll open it up to everyone eventually …

2 Likes

that makes sense - I wasn't sure how compatible their challenges are with ACME but the integration looked very much like ACME. So yes - we can basically do ACME + automation of the rest. ... ok, not quite correct - we'd need to add the initial ACME request to our API to claim the above.

The question is - is it something that could be part of agents that now do only LE?

Is this advertisement or a serious thread?

1 Like

I am serious. Just now trying to estimate effort for building an ACMEv2 server API in PHP. ... with an optional "repeater" functionality for LE (the idea is to prevent hitting velocity limits).

Or both!
A Serious Advertisement Thread.

I love your product but you really should reduce the amount of advertising included in your topics.

1 Like

OK, I will try to update the original question.

2 Likes

ok, I have done the first half of a proof of concept - ACME proxy. Thanks to ACMEv2 signature over the URL, we need to re-wrap messages. It's not quite what I'd like but the only other way would be for users to manually configure "hosts". There are 2 options for forwarding:

  1. create a "proxy" for each user - the advantage is that keys could be encrypted with something derived from user's account key/number => we wouldn't need to keep the whole decryption key
  2. have one account for everyone

1 -> there's a rate limit (500 / 3h - for IPv6)
2 -> higher impact of a possible account signing key compromise

From practical point of view - using the proxy means that any cert revocations have to be again done via the proxy.

What is nice - we can monitor rate limits and send warnings when there's too many messages or when a user certbots stop working (usually they are hooked to a cron to run once a day or so).

The second part - challenge validation from e.g. Comodo next week.

It must be all the turkey…
But this just went way over my head.
[and maybe the alcohol]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.