Let's Encrypt has turned on stricter validation requirements

Regardless of what you end up using you need to have your own monitoring if you care about availability.

My own monitoring always alerts if certificate chains don't validate, HTTP->HTTPS redirection is dead, or if the certificate is due to expire in less than 10 days.

The various tools for interacting with Lets Encrypt might fail sometimes, but if you have monitoring you can fix them up as required - and without monitoring you'll in trouble regardless of who you use.

Same here. I had them running for a small informational website, and they took the site down for several days via surprise cert problems. I may switch to a paid provider.

The big cloud services offer solutions for that, although with some caveats. AWS for example creates a cert free of charge with automatic renewal, but it won't give out any private keys. So TLS is terminated at their load balancer, which you would have to use to my knowledge. I just hope Amazon is too rich to conduct widespread industrial espionage.

I actually don't know if that works with domains not managed by them, but I believe so.

Sadly, certs from big CAs are pretty expensive these days... Let's encrypt is really awesome service to counter that.

Not used them in production (only in my toy projects) but I’ve heard decent things about this https://www.buypass.com/ssl/products/go-ssl-campaign

They use the same acme system as LE so depends on what failed for you for it to be a viable alternative (if the certbot failed for example then it might of failed using buypass in the same way as it would of failed under LE)

I wonder how did it break for you? I've set it up once and it has been running off a cron job for months now (ACMEv2 + DNS auth plugin).

> but they’ve broken all of my certs...

What happened? Was it their fault or yours?

a regular certificate.

For example you could buy a Sectigo (previously Comodo) certificate for 2 years for like 17$ or so. Wildcard for 2 years is like 100$.

Its worth less than a broken certificate.

>Today all of the above is possible with certificate transparency logs, but nobody looks in them, so they're useless.

I check mine once or twice a month manually, but it is pretty trivial to monitor it automatically as well, e.g. there are APIs for crt.sh or they even offer direct public read access to their database.

I believe certificate users should remain responsble for their own monitoring. Alerting as you say would be very annoying since you couldn't preemptively replace certs without getting alerted unecesarily, and it would divert Let's Encrypt developer resources away from more useful projects.

How can someone "reference" an old certificate with CT data? CT logs only contain precerts and certs, right?

I suppose one could compare the public key of two leaf certificates, but reusing the private key is also a bad practice.

From CA end, it could check if the certificate is requested from the same account key. One can even use a DNS record to public the account keys (CAA + TLSA).

And for background on the multiple perspectives validation approach:

http://www.cs.cmu.edu/~dga/papers/perspectives-usenix2008.pd...

It doesn't "resolve" BGP attacks. The point is an attacker would have to pull off three or four successful attacks at once, which is harder than pulling off just one, especially if they hope to go unnoticed.

If the domain is hosted on a /24, then more specific routes will be filtered out by default in most ASes. Also, with the increasing adoption of RPKI, in conjunction with its maxlength option, more specific attacks will be a challenge for adversaries.

Wouldn't an attacker be able to create a self-singed cert just as easily?

Sounds like the TLS-SNI-01 challenge that had a fatal flaw in some circumstances: https://community.letsencrypt.org/t/2018-01-09-issue-with-tl...

Wait... How does letsencrypt know who is giving them the public key cert?

You don't need any update.

It's not going to make it easier, but if you can already answer challenges - then it won't make it any harder.

You just don't stop answering challenges until the cert gets issued.

I don't know why anyone would have stopped answering challenges after the first request anyway. Surely the default assumption should be that everyone has network & processing failures, and hey maybe ACME would need to check again if something broke before the cert was signed.

You should check out https://community.letsencrypt.org and ask for help there!

How does it make it any more difficult?

I hear this often and also had issues with this. Shameless plug for my project, Certera. Solves that problem and much more.

https://docs.certera.io

If you or your company has enough money for a web farm, you should just buy your own cert.

No changes are required, unless you had some kind of IP restriction on who your server may be contacted by. Which your simple static site is probably fine with.

The answer is in the article.

I have my certs issued to a VM this is not accessible via HTTP(S) anyway, just DNS. It runs a small DNS server which answers to _acme-challenge.* requests "forwarded" via CNAME. As that is the only part of is visible to the rest it has a very small security surface to worry about. It then pushes out the keys & certs to the places that need them (directly in the case of local machines, less directly for some others).

I set that up originally for a wildcard, as http validation is not supported for them and I didn't fancy mucking about automating updating the main bind instances, but it is convenient for the others too and will be unaffected by these changes.

Not a perfect solution for everyone of course, copies of all the keys are in one place for one thing, and it all in one place could be bad or good for maintenance (single point of failure, but single service to monitor & maintain), but worth considering if you expect problems with http validation.

> some countries and their IP ranges just need not access my server

I'm guessing that they won't be using locations that are commonly blocked in this way anyway. And if they do happen to use one, you may be fine as only two of the three external checks need to be responded to.

And how does filtering on the IP range of a country prevent traffic from that country? Or are you also blocking every known proxy and VPN service? Are you sure that your strict firewall even provides the security you wish it did?

Either way, letsencrypt will probably have a somewhat fixed pool of these challenge validation IP addresses/ranges, so adding those to a white list should probably work with a strict firewall.

Then use a different method of validation, like DNS?

You can use pre and post renewal hooks in order to temporarily disable those firewall rules.

You could just loosen the firewall for a few minutes before and after you requested DNS validation.

Yeah, looks like you have created a problem there for yourself. Back to other SSL providers for you, then. Unless you want to jump through some hoops.

I’m with you I have China completely blocked from my servers. There is no reason for anyone in that country to access my apis

It took me three tries with scripts enabled; perhaps they're overloaded.

(Taking 5MB and 2s to send 500 words of text can do that, but since the primary audience of Let's Encrypt is web folks, there's some schadenfreude in my weltschmerz.)

Works fine for me, uMatrix with javascript disabled by default.

Edit: Ah, upon testing it breaks if you have 1st party JS allowed but not 3rd party. This is pretty reasonable in my opinion.

Here you go, read the source. https://raw.githubusercontent.com/letsencrypt/website/master...

It works for me with NoScripts blocking the two js requests it tried to make.

Well, it works if all scripts are disabled (at least for me).

Is that because assets are hosted in a CDN?