We built a free CDN that auto-provisions LetsEncrypt certs, what do you think?


#1

Hey guys!

We built Kloudsec, a free CDN that automatically provisions (and renews) LetsEncrypt certificates for your domains.

How to get LE cert on your site?

  1. Get on Kloudsec’s CDN by pointing your domain name to our CDN’s IP address

  2. Enable One-Click Encryption plugin in the dashboard

Once it is ready (it will be in a few mins), you’ll get an email. You can log into the dashboard to access and export the cert too :slight_smile:

Here’s Kloudsec.

##What do you guys think?

PS: Chat with the Kloudsec team on our Telegram chat group


#2

Your post is kinda spammy to me, that’s what I think :wink:

It’s great people implement Let’s Encrypt in their product, but in my humble opinion, your post screams 99% “spam!” and just 1% “Let’s Encrypt”. Your screenshot isn’t even from the Let’s Encrypt implementation…


#3

Amending it as we speak. I apologise for this! My honest intention is to offer an alternative “client”, in this case, a CDN service, to get LE certs.

EDIT: Amended.


#4

:slightly_smiling:

Well, I’m assuming your main intention is to deliver a CDN :wink: If a user intents to use the CDN “for real”, it’s no problem the CDN itself generates the private key, as it needs this to act as a TLS endpoint. But if a user only uses your service to get a certificate and consequentially doesn’t use your CDN-service any longer, I’m not so enthusiastic: private keys should only be known by the people and/or services which really need to know the private key.

So my suggestion would be to emphasise on the “Look, we’ve added Let’s Encrypt functionality to our CDN!” (a few screenshots on how the implementation works would be nice!) without too much emphasis on the “Look, we offer a CDN!” part, but not so much on the “You can use our service to get a certificate, even without using our CDN!”, as the latter would be a bad implementation as a 3rd party has the private key. :slightly_smiling:

And yes, I am pretty critical when it comes to cryptography :wink:

And again, it’s great if Let’s Encrypt is being used out there, don’t get me wrong. I very much like the fact you bother to implement it! Kudo’s! It’s just the way of putting it out there :stuck_out_tongue:


#5

Thanks for integrating Let’s Encrypt with your CDN, @kloudsec_steven.


#6

@schoen, just curious, are you part of LE’s team? Is it possible for us to negotiate a higher quota for our implementation of LE since we’re deploying LE for users.


#7

@kloudsec_steven, which part of the rate limiting are you having trouble with?


#8

The most important aspect is in the IP restriction, since we have a single Anycast IP validating all the LetsEncrypt challenge.

The second is the 5 subdomains for 7 days.

Internally, It is so easy to get an SSL cert that we dogfood all our sites, including subdomains, etc, with LetsEncrypt certs merely by pointing the IP address to our CDN. And that has definitely exceeded the 5 subdomain restriction.

Do you have an email that I can email you regarding this?

Thanks!


#9

well you could try to make SAN certs (like add 100 names to a cert) and it will just count as one cert.


#10

That’s a possibility. But given that there is LetsEncrypt, I was hoping for a better alternative :slight_smile:


#11

well for LE y´the only choice you have is SAN, they wont give you wildcards, sadly.


#12

I don’t really see the problem. As far as I can tell from your website, you’re not a webhoster hosting multiple sites with a common domain name for each sites hostname, correct? Users with all kinds of hostnames (and different domain names) can use your CDN.
So if you’re hitting the 5 certs/7 days rate limit because some of your users are using a common domain name, the only solution would be for LE to lift the rate limits entirely, for everyone. As everyone can be a customer of your CDN. And that’s not very likely to happen in a short time from now as far as I know…


#13

AFAIK the limit is “5 certs per domain per 7 days”. If you’re hitting it, that would mean you or your customers haven’t made up your/their mind and are requesting the re-issue of certs for the same domain more than 5 times per 7 days.

Perhaps a solution would be to offer test certs (–test-cert, --staging) for people to mess around and check out your service, and only issue a real cert when they are happy with their setup.


#14

You’re right actually. I just realised that the throttle per IP has been lifted to a really reasonable number. So I guess we can consider this issue closed.


#15

That’s also only a problem if you generate a new account key for every certificate you request… But it should be very much possible to use a single account key. So the X registrations per Y hours for a single IP wouldn’t be a issue.