ACME v2 and Wildcard Certificate Support is Live

The reason we haven't announced an EOL for ACMEv1 is that we won't announce one until we are confident we won't cause the kind of meltdown you describe.

If the EoL is far enough after the release of V2 then I think it is preferable that people start getting security warnings for sites that stop working: it is an indication that they are no longer maintained so potentially not receiving security updates for other matters.

Obviously a decent length of grace period would be the correct way of deprecating the older version, to give people time to update their infrastructure accordingly. I would suggest at least a full year (giving at least four renewal cycles to test changes in a QA environment before being forced to update production), probably more. Perhaps, if possible, a year for new certificates and two years for renewals?

Since the certificate need to be updated every three months they have access to exact number of how many people use ACMEv1. They also have as naturally part of the process the domain names of those users. This should allow them to very slowly watch as the number of v1 users drops until there is so few that they can try contact any remaining users before deciding to set an end-of-life to that version.

When you run the Let's Encrypt official client (certbot), it updates itself.

They already disabled TLS-SNI-01 for new certificates because of security issues [1].

This was a major breaking change, without any advance notice, but nothing melted down.

I'm sure the other validation endpoints are used a lot more, but the effect shouldn't be any different, especially if give a deprecation notice of a year or two.

[1]: https://community.letsencrypt.org/t/important-what-you-need-...

Depends only on how much different v2 is from v1.

Going to reply to my own comment here.

It's at this point that I swear profusely at Microsoft yet again, for pushing the concept of '.local' domain suffixes a decade ago. As it's not a legal TLD, I can't get certs for any of my internal services without rolling my own internal CA, which only works automatically for Windows domain machines, and not for anything else.

Just remember that the cert will be logged (Certificate Transparency) so any names there will be disclosed to the public. Wildcards help a little here though.

You could do this before too, without wildcards.

Thanks! This looks awesome. Can i automate it as well?

I have been toying a little with wildcard using certbot on my Ubuntu OpenVPN appliance, but was a bit unsuccessful at the moment.

Maybe i should just try and build a very tiny virtual sever that does nothing but spit out a wildcard domain certificate to some predefined destinations to have it used in anything that wants a certificate. Could be beneficial to a (large) infrastructure to have an always-ready certificate to use for free. Dunno if EV validation will uphold though.

acme.sh is great because it support manual DNS mode. It also way easier to use compare with other similar client. This is all it takes for me.

./acme.sh --issue -d noty.im -d '.noty.im' --dns

It then told me to add TXT record, which I just manually do because I used RackSpace cloudns which has no built-in support.

I manually verify DNS with dig, when it's ready I just do:

./acme.sh --renew -d noty.im -d '.noty.im'

then the cert(private key and full chain) are stored in ~/.acme/noty.im/

These privateky and fullchain can be used directly with nginx without any modification.

My suggested amount: recurring donation of $19.84 per month.

> I recon some of these providers are going under soon?

I really hope so.

The cost to providers is exactly the same for a wildcard and a standard certificate, and yet they costs hundreds of dollars. It's unbelievable it's lasted this long

If it was up to me, even right now.

This is great news!

I don't know. Will Letsencrypt also replace EV certificates?

I'll happily pay money to get a cert that expires in 3 years instead of 90 days. Some of us don't feel like faffing about with cert renewal every quarter. (I know there are tools and clients that can "make it seamless" - until the ACME endpoints are down or something).

I never understood why DNS providers are so reluctant to offer standards-based access, like nsupdate(1). It's easy to set up, it can do everything, it's secure, requires no custom anything and it just works.

Take a look at https://github.com/AnalogJ/lexicon. It's a python library that provides standardized, programmatic access to DNS entries for a bunch of major providers.

I started using Cloudflare just for their DNS API - the dynDNS providers baked into my router's firmware went under so I started pointing the DNS record to my home dynamic IP with a cronjob that called CF's API.

The good news is that most of the major providers already have integrations into clients like lego: https://github.com/xenolf/lego/tree/master/providers/dns

Use Terraform to manage records. They have support for lots of DNS providers (AWS Route53, Google Cloud DNS, Cloudflare, DigitalOcean, Azure DNS, DYN, DNSMadeEasy, NS1, UltraDNS, PowerDNS).

Store your DNS records under revision control, and updating your records can be as simple as a "git commit && git push".

https://dns-api.com/

is it common for DNS hosts to provide delegated access at the granularity of individual records?

I don't want my webserver to have the ability to change my entire zonefile just so it can authorise certificates!

I'm intrigued. What kind of app that you could host on heroku requires wildcard certificates? Bearing in mind that heroku can't really support wildcard subdomains for a single app. Each custom subdomain for an app needs to be added to the app. And then if you enable Automated Certificate Management for the app (which uses LetsEncrypt under the covers), they'll happily fetch a cert for each listed subdomain.

And Heroku already supports wildcard certs (that you need to provide yourself) if you use the SSL addon.

I have a feeling they've been working on this. Their https support has always been top notch!

The only significant concern I have is that if LE were to essentially "take over" the CA industry, you know, due to being free, and awesome, we'd have a massive single point of failure for the entire Internet's security model.

My biggest peeve with the whole "HTTPS Everywhere" push is not the general notion of using encryption, but that the encryption is annoyingly coupled with the CA system, which is terrible for many reasons.

The one that always sticks out is the certs’ extremely short expiration period. The IMHO weak rationale for this was mentioned in another thread here (See jjeaff‘s response upthread).

It would be nice if they simply offered two choices:

1. I love automation! Give me a 90 day certificate.

2. I understand the security trade-offs. Give me a 3 year certificate.

The service is great, but they're really the only free SSL cert game in town. As more sites start using their certs, they'll wind up becoming a single point of failure.

They won’t ever issue EV certs.