Clever Geek Handbook

Fallback for Let's Encrypt - Free Automatic CAs

For many, Let's Encrypt has become an integral part of web development, and automatic certificate renewal every 90 days is a routine procedure. In fact, it is now the most popular certification authority on the Internet. It's great, but also dangerous.



The question is, what if Let's Encrypt servers temporarily stop working? I don't want to think about the possible causes of the failure. But it is advisable to provide a fallback. That is, the same convenient automated free certification center.



Fortunately, there are fallbacks. At least two. The same free automated CAs modeled on Let's Encrypt.



ACME protocol



All communications with Let's Encrypt take place using the ACME (Automated Certificate Management Environment) protocol. It is an open protocol for automating interactions with CAs. There is nothing specific to Let's Encrypt, it is supported by several other CAs.



Now is the moment when more and more CAs are starting to work through ACME. This means that almost all of our tools, scripts and processes for obtaining certificates from Let's Encrypt will work fine with other CAs that support ACME.



To rebuild to another CA, you just need to change the API address in the configured scripts from https://acme-v02.api.letsencrypt.org/directory(Let's Encrypt) to https://api.buypass.com/acme/directory(BuyPass, see below for it) or some other.



BuyPass



We need a CA that meets two criteria:



  1. ACME;

  2. .


These criteria are met by a Norwegian CA called BuyPass .



The free service is called BuyPass Go SSL : automatic issuance and renewal of certificates + ACME support. What you need.



The whitepaper explains how to set up obtaining and renewing a certificate using Certbot , an official client from the Electronic Frontier Foundation to work with Let's Encrypt or any other CA that supports the ACME protocol.



Registration at the CA and obtaining a certificate in BuyPass is elementary, as in the case of Let's Encrypt, there is no difference.



Registration with your email address for notifications ('YOUR_EMAIL') and agreement to the terms of use (--agree-tos): 



root@acme:~# certbot register -m 'YOUR_EMAIL' --agree-tos --server 'https://api.buypass.com/acme/directory'


Obtaining a certificate: 



root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.buypass.com/acme/directory'


Subsequently, if necessary, other Certbot commands are used to revoke a certificate ( revoke), renew expired certificates ( renew), and delete a certificate ( delete).



It is recommended to place the renewal command in cron and run it automatically to check expired certificates just in case. For example, like this: 



#Cron-job scheduled under root to run every 12th hour at a specified minute (eg. 23, change this to your preference)
23 */12 * * * /opt/certbot/certbot-auto renew -n -q >> /var/log/certbot-auto-renewal.log


BuyPass has some limits on ACME. The main limit is the number of certificates for a registered domain (20 per week). This refers to the part of the domain that is purchased from a domain name registrar. That is, this is the limit for all subdomains in total. Another limit is 5 duplicates per week. This is the limit of certificates for each specific subdomain. There are limits on validation errors - 5 per account, per host and per hour.



Endpoint requests limit new-reg, new-authzand new-cert: 20 per second. Query limit /directory: 40 per second.



The maximum number of authorizations in the process (Pending Authorizations): 300 pieces.



Another client acme.sh can be used instead of Certbotwhich is also initially configured for Let's Encrypt, but easily routes to another CA with ACME support. 



./acme.sh --issue --dns dns_cf -d example.com --server "https://api.buypass.com/acme/directory"


ZeroSSL



Another CA that issues free 90-day certificates under the ACME protocol is the Austrian ZeroSSL .



The aforementioned acme.sh program has ZeroSSL support, so it is very easy to register: 



acme.sh --register-account -m foo@bar.com --server zerossl


Next, one command to generate a certificate: 



acme.sh --issue --dns dns_cf -d example.com --server zerossl


There are no limits on API calls. There are other advantages : this CA gives free certificates not only for 90 days, but also for 1 year, there is a web dashboard and technical support.



By the way, ZeroSSL generates certificates even through a web interface, step by step with domain verification by email. But, of course, this method is not suitable for automation.



Other ACME servers



Here is a list of all known ACME servers. There are still few of them, but the number is growing.





Let's Encrypt is an outstanding organization doing a great job. But it's dangerous to put all your eggs in one basket. The more the CA works under the ACME protocol and distributes free certificates in automatic mode, the more diverse and reliable the ecosystem as a whole.



Let's Encrypt may experience downtime or temporarily suspend activity - and then Buypass and ZeroSSL will come to hedge. Having these fallbacks ultimately increases the credibility of Let's Encrypt itself, because it is no longer a single point of failure. And changing the CA for ACME is a matter of a few seconds.





Special offer of the GlobalSign certification center





More articles:


All Articles