undefined | Better HN

0 pointsjoering28y ago0 comments

Lets Encrypt provides wonderful services, but don't forget in business when something is free, it might end up costing you money.

Not only these certs are for 3 months, but what if their renewal services have hiccups. Not wishing them anything bad, but I can imagine that for whatever reason (including root cert being invoked if they happen to encrypt sites that normally wouldn't do like c.p.) I imagine that 35% of net rushing to a local cert provider to get a paid solution or face no traffic to their site at all.

Besides, the times of Thawte's 1999 when single cert was $150 are long gone; you can get a decent Comodo for $4.99 per year these days.

0 comments

7 comments · 2 top-level

vertex-four8y ago· 3 in thread

Due to the lack of automated renewal procedures, I've seen many more small websites die for a day or so once a year with "traditional" certificates (when people forget to manually renew) than those with certificates maintained via letsencrypt.

The actual solution to this should be for any of those providers to provide the ACME certificate management protocol, and then if letsencrypt fails, I can point certbot at it.

wastedhours8y ago

I was always on that end - in a distant-ago job I'd somehow fallen into a position of looking after a server box for our subdomain that was under someone's desk.

Every year I'd preempt it and email our procurement and IT teams asking for a renewal months in advance (knowing the red tape means I'd get it JIT).

And, every year it wouldn't be renewed or bought until the day after expiry when I had enough complaints from people to light a fire under someone's arse.

The whole cert-package back and forth was a nightmare, am glad LE exists with auto renewals (or even manually pushing a renewal with one line is easier than the old).

Fnoord8y ago

There's always going to be stuff which is automatically renewed while you don't want to, or stuff you need to manually renew when you have to.

I have a wonderful suggestion for anyone who wants to combat this problem: put the end date in your agenda! If you're a busy person put multiple notifications about it, or learn to look in advance in your agenda.

vertex-four8y ago

I don't think there's any situation I've seen where I don't want my certificates to be renewed. As a sysadmin, the more repetitive tasks I can automate, the better.

1 more reply

cm21878y ago· 2 in thread

Wildcard certs are still expensive. And convenience of an automated process plays a big role. CA have been asleep at the wheel, not improving their products and offering a convenient way to manage the renewal.

joering2OP8y ago

Define expensive? https://www.cheapsslshop.com/ sells wildcards for $56 with easily to find discount code CMDWCXM25.

If you need wildcard most likely your have some sort of production platform and probably make some profits, at least $5 a month for a cert.

Full disclaimer: have nothing to do with cheapsslshop but been their happy client for few years now.

gregmac8y ago

Totally agree. If CAs were smart they'd be implementing the ACME protocol, and attaching it to their (paid) backend systems. There's value to be added like longer expiry times and long-term assurances, a centralized management portal, wildcard and EV certificates, and higher (or no) re-issue limits that would go a long way to getting businesses using it.

j / k navigate · click thread line to collapse