I'm also really interested in knowing if there are issues that could arise or people that annoyed by this kind of automatic conversion and why. What are your thoughts ?
That would be a problem (provided that CAA working as expected can be qualified as a problem) if the original certificates were still valid. But with expired certificates, there is nothing to lose.
Let's Encrypt obeys CAA, if you try to validate for a domain which has a CAA record saying e.g. "Only Symantec may issue for this domain", Let's Encrypt's software will reject the validation. Current Baseline Requirements don't require this of a CA (they're required to document what they do with CAA but most picked "soft fail" ie they will issue but maybe do extra scrutiny) because they feared it would be used somehow in an anti-competitive way.
Client software like Firefox, or Internet Explorer, ignores CAA altogether, as described in the design of CAA.
It could also complicate matters when renewing certs. If I forget to renew my SSL, it gets replaced with Let's Encrypt, and then I go to renew it and the system gets confused because it looks like I already have a cert from another provider.
In both cases, ample warning and notification will help, and opt-in rather than opt-out will totally alleviate the issues.
Could you describe what kind of concerns you're thinking about that would be Let's Encrypt-specific and that would only affect you if you actively use a Let's Encrypt-issued certificate? Generally speaking, a CA key being compromised would affect everyone (unless they use key pinning mechanisms like HPKP, which doesn't get a whole lot of real-world use at the moment, and probably close to zero usage from customers using a shared web hosting plan unless the provider takes care of it). You don't need to actively use a CA to be affected.
> It could also complicate matters when renewing certs. If I forget to renew my SSL, it gets replaced with Let's Encrypt, and then I go to renew it and the system gets confused because it looks like I already have a cert from another provider.
CAs typically don't care about whether you already have a certificate from a different provider (I mean, why would they?), or were you thinking about possible limitations in OVH's system? In that case, this only seems like an issue if they indeed have no way to replace the certificate once it's been enrolled with Let's Encrypt.
There is no way to induce a vulnerability by using an incompetent or malicious CA, provided you generate your own, strong private key. Even issuing an MD5 or SHA-1 certificate cannot actively harm your visitors unless a second preimage attack is developed against the algorithm (in which case, again, everyone is screwed, not just you).
In any case this should be an opt-in service (for the lazy).
I haven't really played with it yet, but I know it mentioned no way to revoke the certs. So felt a little half baked but it seems like a step in the right direction to move everything to SSL. Probably just a early iteration right now, so probably will improve over time.
If you don't pay for the renewal, pinning _probably_ is broken anyway (unless you somehow pin a cert, but ignore validation. In which case you should've used a self-signed cert from the start, I guess).
Honestly, I cannot see a downside to this. People that won't pay the CA mafia will get a cert for free. TLS everywhere. The internet wins.
