[be warned… this post is a rant]
Today sslforfree partnered with ZeroSSL, i needed to renew my certificate anyway so i figured i would try out their new features, it didnt go well. Long story short unless you pay them, you can get a max of three certificates, each only being able to secure one domain (without sub domains or wildcards). This is a massive step down from the old sslforfree which gave you unlimited domains, sub domains and wildcards all on one certificate for free. Their free only applies to a limited amount of very basic certificates, i guess its good if your just starting out with ssl and dont want to use certbot, otherwise its practically useless for anyone looking for actually free ssl.
[be warned… this post is a rant]
From what I’ve read here apilayer has been buying up all the Let’s Encrypt web client sites and monetizing them. Another one bites the dust.
(I’m making some assumptions about your setup here) your best bet is to probably run a windows based ACME client with support for the DNS-01 challenge. Then you could move the resulting certificates wherever you need to if automation is not possible.
local JS only, so you can save the page and run it.
source code : https://github.com/diafygi/gethttpsforfree
but it needs more technical knowledge then other site (no csr/ accound key gen)
apilayer has been trying to buy up other clients as well. They offered me cash to take control of Posh-ACME as well as a monthly stipend to keep maintaining it and claimed everything would stay the same except for adding some ZeroSSL branding. The potential for these sorts of shenanigans is exactly why I turned them down.
your best bet is to probably run a windows based ACME client with support for the DNS-01 challenge
Coincidentally, Posh-ACME fits that bill perfectly. Here’s the list of supported DNS providers.
maybe it’s time to get back in to the client writing game
I just finished my Azure LogicApps for Let’s Encrypt
I have a few webservers hosted on VPS and after seeing this announcement today have decided I am going to create a new domain and provide the same services with a guarantee that I will not sellout. I also plan to make the site 100% open source. If anyone is interested in helping out let me know please. I am far more of a sysadmin and installing the tools and such is easy but when it comes to writing the web ui and some of that stuff I am at a loss. This might take me a few weeks or a few months but even if I do it myself I plan to learn everything I can to make a functional site. It might not look good but it should at least fill the need that was lost.
$50 a month for unlimited letsencrypt wildcards is a scam. I am now left scrambling at a small organization to figure out and find an alternative as we have certificates expiring in less than 3 weeks.
Server is coming online, small to start since this is proof of concept and a whole lot of learning for me. I also purchased a domain that I think is fitting and started the matching github repo. Time to start cracking I guess.
As if we needed another reason that such sites were always a bad idea–aside from the security questions, when you’re relying on a third-party service, they can change the rules whenever they want to:
How can we help?
You can try www.shieldsigned.com.
I understand your frustration - when something was completely free and then it’s not, that would make quite a few people unhappy. However, I think it makes sense to be constructive and avoid somewhat misleading statements. For instance, while the pricing (of any service really) might be in general debatable, it is normally built on offering a set of features/services rather than just one specific feature. Then, when compared to the set of features/services offered by competitors and what exactly might be needed in the specific use case, the decision is taken whether it is suitable or not.
Just to illustrate on something not SSL related - I might not agree with how certain mobile phones are priced, but that does not mean they are not finding their audience - whether because of having certain features people want or additional services/benefits attached. So while I could say “Hey, they are charging $XXX for making phone calls”, that would probably be a rather misleading statement
Again, I’m getting where you are coming from. It is also nice to see that you decided to invest time and effort into something that you believe will offer an alternative. Just keep in mind that it does not stop with the initial release - keeping the product up to date and supporting it is also quite a lot of work. But it is a rewarding experience nevertheless and a chance to learn something new indeed. So good luck!
This post actually highlights one of the problems with establishing a site offering such service - trust. When I built ZeroSSL at the time, its web-based client was not the first client I made (it was a Perl one). And I understood that web client implementation would be important - people would have to trust the site with the data, so the site would have to respect that and the client would have to be built as a zero-knowledge app. No trackers on site (not even Google Analytics), everything operating within a browser with no data sent to the server, no whois privacy for the domain, providing a clear info as to who built it and how to get in touch, etc.
And that brings us back to the advertised site - apart from not working right (which highlights the issue with QA testing of the functionality) and having spelling errors, it has no information as to who made it and why (and the domain itself has been registered just 3 months ago and is using whois privacy). It is also not configured correctly in terms of SSL configuration (for instance, TLS 1.0 is not PCI DSS compliant since 2016), which is rather alarming.
I believe whether it is just this service or any new service that could be built (like StrifeJester’s perhaps), that part of ensuring that the site can be trusted is just as important as the actual technical implementation.
It’s also not the same product, as I understand it they now deliver their own certificates, not Let’s Encrypt certificates.
I guess the frustration was more about the pricing rather than who issues the certificates For a “hobby project” wtih just one maintainer for example issuing own certificates is not usually the path taken, considering the costs, resources and risks associated. But when project grows, that makes sense, so it would be interesting to watch.
I’m repeating myself here, but it’s important. Web-based clients have always been a bad idea. Let’s Encrypt have consistently said they’re a bad idea. They’ve always been completely incompatible with the way Let’s Encrypt is designed to work, which is why LE have refused to develop one themselves. Not to mention the security concerns (it can be done securely, but most users won’t be able to verity that), and the fact that you’re at the mercy of yet another third party who can change the deal whenever they choose (which seems to have happened here).
So the most popular web client has suddenly become much less usable. This is a good thing. The appropriate response to this is not “build another web client,” but to stop using the web client and instead use Let’s Encrypt as it was intended to be used.
Thanks for highlighting the points that are not relevant to this post at all. Firstly, I have created this platform for other users who have been using SSLForFree for free over the last few years. They do not offer Wildcard certificates for free anymore because of their ‘partnership’ with ZeroSSL. This leaves many others who have no knowledge of creating an SSL certificate themselves with acme-clients/http-based approach helpless. This also forces them to end up buying something from private CAs.
I needed a web based client myself and I realized others might need it too. This is the most easiest way to obtain an SSL certificate in my opinion and it works. Coming to your point of credibility - I have been a software developer over the last 12 years and I have a fair bit of knowledge myself on the risks of using a web based certificate generator. Thanks for looking up TLS1.0 just to make a statement. Fixed it and the server now runs with support TLS1.2 and TLS1.3.
No one really cares about where you buy your domain names and the cheapest just works. SSL certificates are similar. They are just a necessity without a preference on who is issuing them for 95% of the websites over the internet. The rest 5% are enterprise, payment gateways and others who have to pay extra attention to who and what is transmitted over their network. You can charge them with the exorbitant/irrelevant $50/month.
I do not even wish to bother responding on the ‘spelling errors’ or ‘not working right’ - these are juvenile points that do not even address the main issue in discussion here. Rather than defending the situation, I see it best that you address the larger issue at hand here.
To others who are following this post - You can still use the platform I created without ever getting charged. You can take my word for it.
You are suggesting to use a site (and without any indication that it is actually your site in your very first post) which bears no information whatsoever about its author, badly configured (you are offering SSL certificates, so you might have taken care about at least that), sees any domain name
typed in caps as the “bad one”, etc. And while you might believe that the matter of trust is “not relevant” at all, it is.
I will ignore the rant where you are dismissing obvious issues with the site advertised - after all, I’m not your QA, and you should be capable of doing some testing with 12+ years in software development. You will find your users anyways, there is no doubt of that, but if you prefer not to care about how it is done, it is your choice indeed. Seeing the overall tone of the response and the “juvenile” remarks though, I do not believe it will lead to any constructive dialogue, so please keep your word and do not “bother to reply”
@leader – you have made a choice and people should respect it.
SSLforfree.com was the first site/ACME Client I used and wrote most of my articles on it
The ACME protocol is open source and Let’s Encrypt provides a testing endpoint.
There are many sample clients so people can choose to go down the road of writing one
I think it’s not always fair that the client writers get such a hard time.
There is testing, writing, keeping up with updates. All of these are time consuming activities and I don’t see issues with people charging for them (for example many other clients have a freemium model)
Thanks for all your work over the last few years, you have always been proactive and responsive with queries.
All the best in your future plans
Seeing that the SSLForFree is no longer the right choice for my needs does anyone know if there is software I can run which will provide the same or better functionality as SSLForFree previously had? I have a few domains I use for testing and would like to have the certificates renewed after 3 months. I usually create the certificates and then install them manually. I don’t want to run certbot or the like on every machine I’d prefer to have a centralized location where I can renew the certificates.
Any suggestions would be greatly appreciated.
Just about every client that exists has a “manual” DNS mode that will prompt you to create the DNS TXT records necessary for validation. Most of them can also just get the cert and not try to do anything with it. So install your choice of client in your centralized location, do everything manually, and you’re good to go.
If you choose a client that has built-in support for your DNS provider, it’s even easier because you won’t have to create the TXT records manually. You can just set things to auto renew and then go pick up your new cert files whenever you need them.