HTTPS all the things! LetsEncrypt wildcard live today

I think it can be of interest for the ballers:

Certbot 0.22 is compatible with ACMEv2, and there are some other clients as well.

Domain validation is done with a TXT record

4 Likes

Woooooo! Time to celebrate.

If anyone has already tested this out, let us know how it goes. I’m very interested.

Just curious how does this work for sites with subdomains spread across different hosts? They all share the same wildcard cert, I’d imagine right?

1 Like

ACMEv2 clients available in their client list: ACME Client Implementations - Let's Encrypt - Free SSL/TLS Certificates

Excellent news!

1 Like

… Holly shitz… companies alike COMODO will be reduced to EV certs…

1 Like

At the very least it’ll decrease the inflated wildcard prices.

1 Like

EV’s are stupidly expensive. I mean, I get that the paperwork needs to be validated, but still, it’s a lot of money for a stupid SSL that shows our company name.

Best deal I could find was around 88 USD per year, and that’s from gogetssl.
Don’t actually recall the exact amount. We’ll need to be able to cover several domains so it’s even more expensive.

They used to have one priced at $30 something. Definetly less than $40.

It was a comodo EV, but I think the price was valid for only the first year. Yet it’s enought for you to tests its value for your bizz.

Contact them about it, I’m sure cause I ordered it. Comodo is a pain…

So what do I do with my previous sert? Before I certified www.example.com and example.com seperately.

Also I do not own that domain it was just an example. My website is still in production. Not ready for prime time.

I know, I contacted GoGetSSL, they no longer offer that one, ffs.

Their old API is still working, v1, that is, no EOL date has been set. At some point people need to use the new API, ACMEv2.

Just wait until you have to sign some code with an extended EV certificate, EV certificate doesn’t cut it past Windows 7. Yay.

1 Like

This could reduce the time cost of adding subdomains by several seconds.

Then destroy the gain by any amount of effort, even automated, to share the cert across multiple servers and ensure that each server has the updated version and is reloading service config as necessary.

I’m sure there’s a use case where it is the most productive option, I suppose especially when you don’t want each server on various subdomains to be accessible in the ways/ports/services necessary to validate the certificate, which probably already has you deploying the cert on one server and dragging to another, or temporarily deploying a web service or DNS record to validate.

What would be a better option for a multi-server site?

Well my thought there is that it’s wildcard so you’re expecting to add subdomains I’d think. I generate a new cert for every subdomain automatically and let the software manage it.

If it’s just one hostname across multiple servers then I don’t think it changes the process any.

Agreed. No real benefit unless you’re dealing with hundreds of subdomains and are going to hit their API limits per-domain with your checks/renewals. Could be useful for SaaS providers that hand out custom subdomains, but at that point they can afford a proper $XX/year wildcard and don’t need to deal with renewals every 60-90 days.

TYME IS MUNNY

One benefit I can see is to secure non-Internet facing subdomains

This! And non-standard ports or software. For example the unifi controller runs on funny ports