Wrote this article

I wrote this article about let's encrypt, wanted to share it, feel free to fact check it.

5 Likes

Making the one and only free SSL/TLS certificate service

I know of at least one free CA that existed prior to both ACME and Let's Encrypt (though the name escapes me at the moment). Currently, there are at least 2 free ACME compatible CAs (BuyPass and ZeroSSL) in addition to Let's Encrypt. You might want to tweak the wording here a bit.

4 Likes

I was aware of ZeroSsl, but I thought they shut down. BuyPass I've never heard of, thanks!

1 Like

CAcert perhaps? That's the only free CA prior to LE I know of. But their root isn't publically trusted..

3 Likes

As far as I can remember, StartSSL (StartCom) and WoSign issued free certificates. StartCom didn't end very well and WoSign continues issuing free certs today.

3 Likes

That's correct. StartCom was issuing free certificates long before Let's Encrypt, though it was a bit challenging to get them.

2 Likes

Ah yes, StartSSL, I remember now, had a cert from them too once. From Wikipedia:

While certificates were free and unlimited for certain uses, there were limitations imposed unless an upgrade is purchased:

  • Three-year certificate validity
  • Certificate revocation requires a fee

:rofl: :sob: Very strange business model, especially regarding their decision when Heartbleed came along.

4 Likes

Getting them was "easy", just answering a mail sent to the mail address in the domain's whois but it was very limited regarding the domains you could issue and also, it was only valid for non-commercial sites, even if your site had a paypal donation banner or similar they could revoke or charge money for the certificate, also, if for whatever reason you wanted to revoke the certificate you should pay for it.

Note: I got a few ones of their certificates :wink:

But yes, the overall experience was a pain so when in 2014 I heard the first news about Let's Encrypt I knew it was going to be a milestone in the history of the internet.... and I was not wrong :wink:

4 Likes

I always liked that StartSSL dared to use client certificates in the browser for authentication to the control panel. Only one I ever saw in the wild really. Oh well, we have WebAuthn now!

5 Likes

Yes, the idea was ok, but I had a lot of problems to get it working :smiley:

4 Likes

Until you lose said client certificate :roll_eyes: I remember I was quite "stressed" about that :stuck_out_tongue:

ACME really is a big step up!

6 Likes

ZeroSSL never shut down, they just stopped using Let's Encrypt certs (they're using Sectigo/Comodo instead) and have greatly limited what a user can do for free.

2 Likes

There are limits to issue certificates using the web client but there are no limits using any other acme client.

3 Likes

Sure--but since "the web client" was, for a long time, all ZeroSSL was (and I suspect it remains today what it's most known for), I think it's accurate to say, as I did, that they've "greatly limited what a user can do for free." If you have the ability to run a software ACME client, there's little reason to be using ZeroSSL over Let's Encrypt (or, for that matter, Let's Encrypt over ZeroSSL).

1 Like

Well, to be precise, the "web client" was just the part of what ZeroSSL was offering at the time, though probably the most popular one. The "regular" client application, both in sources and binaries (including Docker images) was also there and that never went away, still being maintained by myself.

3 Likes