For many, Let’s Encrypt has become an integral part of web development, and automatic certificate renewal every 90 days has become a routine. In fact, it is now the most popular certification authority on the Internet. It’s great, but also dangerous.
This begs the question: What if Let’s Encrypt’s servers temporarily stop working? I don’t want to think about the possible causes of failure. But it is advisable to provide a fallback. That is the same convenient automated free certification center.
Fortunately, there are fallbacks. At least two. The same free automated CAs (Certificate Authorities) modeled on Let’s Encrypt.
All communications with Let’s Encrypt take place using the ACME (Automated Certificate Management Environment) protocol. It is an open protocol for automating interactions with CAs. There is nothing specific to Let’s Encrypt, it is supported by several other CAs.
Now is the moment when more and more CAs are starting to work through ACME. This means that almost all of our tools, scripts, and processes for obtaining certificates from Let’s Encrypt will work fine with other CAs that support ACME.
To rebuild to another CA, you just need to change the API address in the configured scripts from https://acme-v02.api.letsencrypt.org/directory (Let’s Encrypt) to https://api.buypass.com/acme/directory (BuyPass , see below about it) or some other.
We need a CA that meets two criteria:
- supports ACME,
- issues free SSL/TLS certificates.
These criteria are met by a Norwegian CA called BuyPass.
The free service is called BuyPass Go SSL: automatic issuance and renewal of certificates + ACME support. What you need.
The whitepaper explains how to set up obtaining and renewing a certificate using Certbot, an official client from the Electronic Frontier Foundation to work with Let’s Encrypt or any other CA that supports the ACME protocol.
Registration at the CA and obtaining a certificate in BuyPass is elementary, as in the case of Let’s Encrypt, there is no difference here.
root@acme:~# certbot register -m 'YOUR_EMAIL' --agree-tos --server 'https://api.buypass.com/acme/directory'
Obtaining a certificate:
root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.buypass.com/acme/directory'
Subsequently, other Certbot commands are used as needed to revoke a certificate (revoke), renew expired certificates (renew), and delete a certificate (delete).
It is recommended to put the renewal command in cron and run it automatically to check expired certificates just in case. For example, like this:
#Cron-job scheduled under root to run every 12th hour at a specified minute (eg. 23, change this to your preference) 23 */12 * * * /opt/certbot/certbot-auto renew -n -q >> /var/log/certbot-auto-renewal.log
BuyPass has some limits on ACME. The main limit is the number of certificates for a registered domain (20 per week). This refers to the part of the domain that is purchased from the domain name registrar.
That is, this is the limit for all subdomains in total. Another limit is 5 duplicates per week. This is the limit of certificates for each specific subdomain. There are limits on validation errors – 5 per account, per host, and per hour.
Limit of requests to endpoints new-reg, new-authz, and new-cert: 20 per second. / Directory request limit: 40 per second.
A maximum number of pending authorizations: 300.
Instead of Certbot, you can use another acme.sh client, which is also initially configured for Let’s Encrypt, but easily directed to another CA with ACME support.
./acme.sh --issue --dns dns_cf -d example.com --server "https://api.buypass.com/acme/directory"
Another CA that issues free 90-day certificates under the ACME protocol is the Austrian ZeroSSL.
The aforementioned acme.sh program has ZeroSSL support, so it is very easy to register:
acme.sh --register-account -m email@example.com --server zerossl
Next, one command to generate a certificate:
acme.sh --issue --dns dns_cf -d example.com --server zerossl
There are no limits on API calls. There are other advantages: this CA provides free certificates not only for 90 days but also for 1 year, there are a web dashboard and technical support.
By the way, ZeroSSL generates certificates even through a web interface, step by step with domain verification by email. But, of course, this method is not suitable for automation.
Other ACME servers
It will also be useful to add to your favorites or write down a list of all known ACME servers somewhere. There are still a few of them, but the number is constantly growing.
So that if something happens, you can always quickly solve the problem with a trusted certificate.
Let’s Encrypt is an outstanding organization doing a great job. But it’s dangerous to put all your eggs in one basket. The more the CA works under the ACME protocol and distributes free certificates in automatic mode, the more diverse and reliable the ecosystem as a whole.
Let’s Encrypt may experience downtime, or it may temporarily suspend its activity – and then Buypass and ZeroSSL will come to hedge.
Having these fallbacks ultimately increases the credibility of Let’s Encrypt itself because it’s no longer a single point of failure. And changing the CA for ACME is a matter of a few seconds.