Why Pay for SSL Certificates?

Daniel · November 29, 2019, 6:08pm

Do some people still pay for regular SSL certificates even though Let’s Encrypt exists?

I’ve never seen BuyVM offer a Black Friday deal, or any other deal for that matter.

anon40039896 · November 29, 2019, 6:09pm

This is a Wildcard SSL cert

Daniel · November 29, 2019, 6:10pm

Let’s Encrypt does wildcard certs, I’m using a few myself.

anon40039896 · November 29, 2019, 6:14pm

Wolveix · November 29, 2019, 6:16pm

I can see the value in EV SSL certs, but that’s about it. Anything else can easily be accomplished with LE.

anon40039896 · November 29, 2019, 6:16pm

Let’s encrypt uptime benchmark

Commercial CA’s still have higher uptime (and EV ofcourse).

Daniel · November 29, 2019, 6:33pm

Thanks to whoever split this out into a separate thread… I guess I was going a bit offtopic

EV certs have questionable value these days though:

AFAIK, modern browser versions no longer shows the EV visual indicator that they used to, so there’s no visual distinction between an EV cert and a regular cert. The vast majority of users aren’t going to dig into the cert details to determine if it’s an EV cert or not.

titus · November 29, 2019, 8:05pm

I use the Let’s Encrypt certiicates for simple websites, wordpress, blogs, etc with certbot.
My problem is only the short certificate lifetime. I use certificates for applications too, for example IRC tools (IRC servers, ZNC, etc) which I not want to restart/rehash every 2-3 months. The automatisation for this process (and check it every time - it is worked?) is not easy for me. A cheap 1-2 year Sectigo (Comodo) SSL certificate is perfect for this.

Daevien · November 29, 2019, 9:29pm

If it helps, acme.sh is a pretty decent system thats light for managing letsencrypt compared to other options

Daniel · November 29, 2019, 11:44pm

Most servers have some mechanism to “reload configs” without actually shutting it down. If you’re using certbot, you can configure it to do that automatically when certificates are renewed using a deploy hook.

I wasn’t sure about IRC servers as I’ve never ran one, but the UnrealIRCd docs say that you can run unrealircd reloadtls to reload the cert, and have an example script for doing so. ZNC apparently reads the certificate fresh for every new client connection (see Don't reload znc.pem on every client connection · Issue #1215 · znc/znc · GitHub) so it shouldn’t actually be an issue with ZNC.

I actually like the shorter validity of Let’s Encrypt certs. It’s better for security if you periodically rotate your keys.

titus · November 30, 2019, 8:17pm

@Daniel @Daevien
Thank you for the ideas & advices!
I think this solutions will made easier to handle this problem for me.