Let's Encrypt agents for long-term certificates. Any potential interest?

I really like to have one too to solve a problem and I like the automation provided by LE agents. What I hear occasionally is that you need to purchase non-Let’s Encrypt certs for some domains - for one reason or another.

The question is if this occasional whispers are more than … whispers.

Edit: removed details to keep the question generic.

Thoughts anyone?

Edit: some agents seem to allow changing the ACME server URL (e.g., certbot has a cmd line switch for that). The main integration difference seems to be the path to challenges (LE v other CAs), e.g., - acme-challenge v e.g., pki-validation

Dan

1 Like

Those CAs that offer long-term certificates have already begun offering them via ACME in a way that’s compatible with Let’s Encrypt agents like Certbot: https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment#CAs_&_PKIs_that_offer_ACME_certificates

I think it’s mostly reserved in their enterprise products for now, but I imagine they’ll open it up to everyone eventually …

2 Likes

that makes sense - I wasn’t sure how compatible their challenges are with ACME but the integration looked very much like ACME. So yes - we can basically do ACME + automation of the rest. … ok, not quite correct - we’d need to add the initial ACME request to our API to claim the above.

The question is - is it something that could be part of agents that now do only LE?

Is this advertisement or a serious thread?

1 Like

I am serious. Just now trying to estimate effort for building an ACMEv2 server API in PHP. … with an optional “repeater” functionality for LE (the idea is to prevent hitting velocity limits).

Or both!
A Serious Advertisement Thread.

I love your product but you really should reduce the amount of advertising included in your topics.

1 Like

OK, I will try to update the original question.

2 Likes

ok, I have done the first half of a proof of concept - ACME proxy. Thanks to ACMEv2 signature over the URL, we need to re-wrap messages. It’s not quite what I’d like but the only other way would be for users to manually configure “hosts”. There are 2 options for forwarding:

  1. create a “proxy” for each user - the advantage is that keys could be encrypted with something derived from user’s account key/number => we wouldn’t need to keep the whole decryption key
  2. have one account for everyone

1 -> there’s a rate limit (500 / 3h - for IPv6)
2 -> higher impact of a possible account signing key compromise

From practical point of view - using the proxy means that any cert revocations have to be again done via the proxy.

What is nice - we can monitor rate limits and send warnings when there’s too many messages or when a user certbots stop working (usually they are hooked to a cron to run once a day or so).

The second part - challenge validation from e.g. Comodo next week.

It must be all the turkey…
But this just went way over my head.
[and maybe the alcohol]

2 Likes