
Let's Encrypt Hits 50M Active Certificates and Counting - DiabloD3
https://www.eff.org/deeplinks/2018/02/lets-encrypt-hits-50-million-active-certificates-and-counting
======
justinsb
I love LetsEncrypt - the only problem I've hit is the rate limits (in
particular 20 new certificates per registered domain per week, when moving
domains). I guess I could have avoided this by combining names into a single
certificate, but I wonder why there's not an option to pay/donate to bump the
limit temporarily: when I hit the limit I would gladly pay $50 or $100 instead
of going through the manual process with a legacy CA. Even though wildcard
certs will make this better, the fear of accidentally hitting a limit and
being unable to renew certificates remains a concern for me.

~~~
stephenr
> I wonder why there's not an option to pay/donate to bump the limit
> temporarily

> I could have avoided this by combining names into a single certificate

You can get a cert (via <=20, 100 SAN combined certs) 2000 subdomains per
week.

I actually don't really understand your problem case though. What do you mean
by:

> when moving domains

~~~
kiallmacinnes
This requires sharing the same cert and key for everything. Lots of software
doesn't really like this way of doing things, I've been bit by the 20 limit
too - and yes, I could have swapped to SANs, it wouldn't have fit with the
deployment tooling for all the different things!

~~~
stephenr
> This requires sharing the same cert and key for everything.

That entirely depends on where/how you're terminating TLS.

Do you _really_ have > 20 different pieces of independent software all doing
their own TLS?

This is exactly what things like HAProxy are for.

~~~
kiallmacinnes
Yes, with Kubernetes, the patterns used are a little different than if you
were to setup TLS and haproxy by hand (I actually use nginx, but it doesn't
particularly matter).

You deploy software, that software declares it needs TLS for its endpoint, and
certs are obtained.

While moving from one cluster to another, a new deployment of everything was
done - about 20 different services - a few minutes work with Kubernetes.
However, the fetching of TLS certs stopped working for the very last service!

Yes, I should have migrated the certs, however, the migration was happing due
to a failure - I couldn't access the old certs.

I now make sure to backup those secrets rather than rely on re-issuance.

Still, for a usecase like Kubernetes, 20 certs per domain per week is
limiting. I do totally understand that the quotas are in place because cert
issuance is expensive, but I'd happily pay a yearly subscription fee to LE to
cover the costs and help fund them if the option was there!

~~~
ithkuil
It's possible to have another implementation of the ingress controller that
will not create one certificate per host

~~~
kiallmacinnes
It's possible, but that would weaken security.

Each independent application is isolated from each other, sharing a TLS
cert/key among them all means we're weakening security - again, the Kubernetes
patterns here would mean we need to duplicate the secret data into each
applications namespace, allowing a compromise of one to compromise the TLS of
all.

There are legitimate reasons to not share a single TLS cert for everything in
an environment like Kubernetes.

(I'm nearly certain it's not possible to reference secrets cross namespace
when declaring an ingress secret, or mounting a secret)

~~~
ithkuil
> the Kubernetes patterns here would mean we need to duplicate the secret data
> into each applications namespace, allowing a compromise of one to compromise
> the TLS of all

yeah, this would be wrong indeed.

Is there any requirement for an TLS terminating proxy acting as k8s ingress to
actually store the TLS secrets in the same namespace where the requesting
ingress object lives?

~~~
kiallmacinnes
The semantics require it, as the ingress resource references a secret without
the option of providing a namespace for that secret.

There may be ways around this, however, I've never personally looked for them.

------
pimlottc
Is there a form letter available for sites that don't have certificates or are
using self-signed/invalid certs? It would have a brief introduction,
background on LE, links to getting started docs, etc. Something like:

"Hi, I noticed your website does not support HTTPS. Have you heard about Let's
Encrypt? Let’s Encrypt is a free, automated, and open Certificate Authority.
[...]"

Ideally available in multiple languages as well.

~~~
dingaling
I have a couple of Let's Encrypt certs for some subdomains, but honestly I've
left some others on plain HTTP simply through laziness.

LE imposes a requirement to renew certificates every 90 days, which is a
nuisance. Logging-in, finding my process crib-sheet, running the update
requests, updating DNS records, running the validation requests, shifting
certs to servers, restarting services... all because the LE project wants to
evangelise short certificate lifespans, which seems to have been bolted onto
the original goal of 'encrypt all the things' because of someone's personal
conviction.

I do wish they'd offer a longer optional lifespan. Even 365 days would be a
huge improvement. Until then I really can't recommend it to less-technically-
inclined colleagues; I just tell them go and buy a one-year cert from Gandi,
chuck it into the ssl directory and forget about it until the renewal reminder
arrives 11 months later.

~~~
FormFollowsFunc
It’s not too hard to setup a daily cronjob to renew automatically.

~~~
thunfischbrot
I have found
[https://github.com/Neilpang/acme.sh](https://github.com/Neilpang/acme.sh) to
be incredibly easy to deploy in several different configurations.

------
HHalvi
50 Million is a massive number for sure but its a drop in the ocean when you
see the number of sites out there. As a user i hope you hit even more bigger
numbers in the days to come! :)

~~~
tehlike
Non-https traffic will start being marked as "insecure" in upcoming versions
of chrome & firefox. That should push the numbers up significantly.

------
waytogo
OT: Anyone know the best architecture using LE with a Docker Swarm cluster. I
let one server do the challenge and renew the certificates with cron every
three months. Those certificates are synced with every Docker Swarm node
through Docker secret.

Once the certificates got renewed the secrets are not working anymore because
they must be immutable.

------
rocky1138
This is what success looks like. Thanks for making TLS easy and free.

~~~
paulmd
I work at a nonprofit and I've had great success pushing LE there. We used to
have an org-wide wildcard certificate and we'd buy additional certs as
necessary, and at first there was some serious skepticism about "free certs"
even though I pointed out the significant players behind it. The IT people are
now on board and looking to spread it to more projects.

It's been great for us in many respects. We no longer have certificates shared
between servers, which removes the vulnerability to DROWN and some other
problems. We also tend to serve multiple domains from a single IP, which
requires a cert that covers all domains. LE lets us trivially get a cert to
cover multiple domains, which would be especially expensive with project
managers who can't make up their minds on what domains they want to use. And,
we get the usual benefits of LE - effective forward secrecy in case someone
obtains a single key/etc.

There was a little bit of pain at first getting the renewal infrastructure set
up properly. My setup still isn't quite perfect, so far the standalone certbot
option is the least painful for me. I have a cronjob which shuts down httpd,
starts up certbot-standalone, does the renew, and restarts httpd, so we are
down for an additional ~5 seconds per day while we renew. Not the end of the
world for our usage.

~~~
stephenr
Depending on what your non-profit is in support of, Koalephant (my company)
may be able to provide some pro-bono hours to assist/advice on that 'not quite
perfect' setup, if that's at all of interest to you.

My email is in my profile if you want to get in touch.

------
kakaorka
I recently bought a domain online and used let's Encrypt to get a certificate.
So, from a grateful user, thank you!

------
tpallarino
Awesome work people

